Incident Response Flashcards
What can initiate incident response? (6)
- Automated detection systems or sensor alerts
- Company user report
- Contractor or third-party ICT service provider report
- Internal or external organizational component incident report or situational awareness update
- Third-party reporting of network activity to known compromised infrastructure, detection of malicious code, loss of services, etc.
- Analytics or hunt teams that identify potentially malicious or otherwise unauthorized activity
What do preparation activities include? (5)
- Documenting and understanding policies and procedures for incident response
- Configuring the environment to detect suspicious and malicious activity
- Establishing staffing plans
- Educating users on cyber threats and notification procedures
- Leveraging cyber threat intelligence (CTI) to proactively identify potential malicious activity
Why is it important to define baselines (systems and networks) before an incident occurs?
To understand the basics of “normal” activity
To be able to ensure resilient architectures and systems to maintain critical operations in a compromised state, what preparation activities should be included? (3)
- Having infrastructure in place to handle complex incidents, including classified and out-of-band communications
- Developing and testing courses of action (COAs) for containment and eradication
- Establishing means for collecting digital forensics and other data or evidence
As part of preparation activities, what needs to be done in terms of policies and procedures? (3)
- Document incident response plans, including processes and procedures for designating a coordination lead (incident manager).
- Put policies and procedures in place to escalate and report major incidents and those with impact on the agency’s mission.
- Document contingency plans for additional resourcing and “surge support” with assigned roles and responsibilities
What should policies address in terms of law enforcement? (3)
- notification
- interaction
- evidence sharing
What sources should be leveraged for cyber threat intelligence? (4)
- government
- trusted partners
- open source
- commercial entities
What includes threat indicators? (3)
- Atomic indicators, such as domains and IP addresses, that can detect adversary infrastructure and tools
- Computed indicators, such as Yara rules and regular expressions, that detect known malicious artifacts or signs of activity
- Patterns and behaviors, such as analytics that detect adversary tactics, techniques, and procedures (TTPs)
What is the problem of atomic indicators?
Adversaries often change their infrastructure (e.g., watering holes, botnets, C2 servers) between campaigns, the “shelf-life” of atomic indicators to detect new adversary activity is limited. They might also switch to new infrastructure during a campaign when their activities are detected.
What should businesses use to identify malicious activity when possible?
Patterns and behaviors, or adversary TTPs, as TTPs provide more useful and sustainable context about threat actors, their intentions, and their methods rather than atomic indicators alone.
What is active defense?
Ability to redirect an adversary to a sandbox or honeynet system for additional study, or “dark nets”—to delay the ability of an adversary to discover the agency’s legitimate infrastructure.
What can be implemented to enable defenders to study the adversary’s behavior and TTPs and thereby build a full picture of adversary capabilities?
Honeytokens (fictitious data objects) and fake accounts.
What has to be established to be able to share information between the incident handlers?
Communication channels (chat rooms, phone bridges) and method for out-of-band coordination.
Measures should be taken to ensure that IR and defensive systems and processes will be operational during an attack, particularly in the event of pervasive compromises—such as a ransomware attack or one involving an aggressive attacker that may attempt to undermine defensive measures and distract or mislead defenders. What are those measures? (5)
- Segmenting and managing SOC systems separately from the broader enterprise IT systems.
- Managing sensors and security devices via out-of-band means.
- Notifying users of compromised systems via phone rather than email.
- Using hardened workstations to conduct monitoring and response activities
- Ensuring that defensive systems have robust backup and recovery processes.
What should be done to void “tipping off” an attacker? (3)
- Have processes and systems to reduce the likelihood of detection of IR activities
- Do not submit malware samples to a public analysis service.
-
Do notnotify users of potentially comprised machines via email
What capabilities should be implemented in terms of technical infrastructure? (2)
- Capabilities to contain, replicate, analyze, reconstitute, and document compromised hosts
- Capability to collect digital forensics and other data
What needs to be established for incident data and reporting sharing?
Secure storage that is only accessible by incident responders
What means need to be ready for collecting forensic evidence? (3)
- disk and active memory imaging
- safely handling malware
- analysis tools and sandbox software for analyzing malware
What information should a ticket contain? (5)
- Anomalous or suspicious activity, such as affected systems, applications, and users
- Activity type
- Specific threat group(s)
- Adversary tactics, techniques, and procedures (TTPs) employed
- Impact
What should be leveraged to create rules and signatures to identify the activity associated with the incident and to scope its reach?
Threat intelligence
What is often the most challenging aspect of the incident response process?
Accurately detecting and assessing cybersecurity incidents - incident triage.
What activities are part of incident triage? (4)
- Determining whether an incident has occurred
- Determining the type of incident
- Determining the extend of the incident
- Determining the magnitude of the compromise (within cloud, OT, hybrid, host, and network systems)
When detrmining the scope of the incident, available data needs to be leveraged to identify what? (3)
- The extent to which assets have been affected
- The level of privilege attained by the adversary
- The operational or informational impact
What needs to be inspected to discover malicious activity? (3)
- The trail of network data
- Host-based artifacts
- Firewall (and other network devices) logs along with other network data, such as router traffic
Data need to be collected and preserved for which activities? (6)
- Incident verification
- Categorization
- Prioritization
- Mitigation
- Reporting
- Attribution
What needs to be done when an endpoint requires forensic analysis?
Capture a memory and disk image for evidence preservation.
What needs to be done when performing a technical analysis of the incident? The goal this analysis is to examine the breadth of data sources throughout the environment to discover at least some part of an attack chain, if not all of it. (3)
- Develop a technical and contextual understanding of the incident
- Correlate information, assess anomalous activity against a known baseline to determine root cause
- Document adversary TTPs to enable prioritization of the subsequent response activities
What needs to be done to allow the team to account for all adversary activity on the network that will assist in creating the findings report at the conclusion of the response? (2)
- Thoroughly document every step taken during this and subsequent phases.
- Create a timeline of all relevant findings
When are indicators as standalone artifacts most valuable?
In the early stages of incident response, as they provide insight into the adversary’s capabilities and infrastructure
What does responding to TTPs enables defenders to do?
Hypothesize the adversary’s most likely course of action
What adversaries often use once they gain a foothold in an environment to avoid detection?
Leverage legitimate native operating system utilities and scripting languages
What should be done to identify anomalous activity?
Assess and profile affected systems and networks for subtle activity that might be adversary behavior
Enables the team to identify deviations from the established baseline activity and can be particularly important in identifying activities such as attempts to leverage legitimate credentials and
native capabilities in the environment.
What informs the triage and post-incident activity?
Identification of the conditions that enabled the adversary to access and operate within the environment.
What should be the gathered TTPs compared to?
TTPs documented in ATT&CK, which should help to analyze how the TTPs fit into the attack lifecycle
What do Tactics from TTP describe?
Tactics describe the technical objective an adversary is trying to achieve (“why”)
What do Techniques from TTP describe?
Different mechanisms adversaries use to achieve it (“what”)
What do Procedures from TTP describe?
How the adversary achieves a specific result (“how”).
What needs to be done during an incident, as information evolves?
Update and communicate the scope to all stakeholders to ensure a common operating picture.
What does the IR team need to use to modify tools to slow the pace of the adversarial advance and increase the likelihood of detection?
Its developing understanding of the adversary’s TTPs
What role should the IOC signatures play in the prevention and detection tools?
- Impose
temporaryoperational cost upon the adversary - Assist with
scopingthe incident
What can an adversary do to subvert IOC-centric response mechanisms?
Introduce new tools to the network and/or modify existing tools
What questions should be asked during the Detection & Analysis phase? (10)
- What was the initial attack vector? (i.e., How did the adversary gain initial access to the network?)
- How is the adversary accessing the environment?
- Is the adversary exploiting vulnerabilities to achieve access or privilege?
- How is the adversary maintaining command and control?
- Does the actor have persistence on the network or device?
- What is the method of persistence (e.g., malware backdoor, webshell, legitimate credentials, remote tools, etc.)?
- What accounts have been compromised and what privilege level (e.g., domain admin, local admin, user account, etc.)?
- What method is being used for reconnaissance? (Discovering the reconnaissance method may provide an opportunity for detection and to determine possible intent.)
- Is lateral movement suspected or known? How is lateral movement conducted (e.g., RDP, network shares, malware, etc.)?
- Has data been exfiltrated and, if so, what kind and via what mechanism?
What is the objective of containment?
Prevent further damage and reduce the immediate impact of the incident by removing the adversary’s access.
What drives the type of containment strategy used?
The particular scenario. The containment approach to an
active sophisticated adversary using fileless malware will be different than the containment approach for ransomware.
When evaluating containment courses of action, what should be considered? (3)
- Any additional adverse impacts to mission operations, availability of services (e.g., network connectivity, services provided to external parties)
- Duration of the containment process, resources needed, and effectiveness (e.g., full vs. partial containment; full vs. unknown level of containment)
- Any impact on the collection, preservation, securing, and documentation of evidence
Why should defenders develop as complete a picture as possible of the attacker’s capabilities and potential reactions?
To avoid “tipping off” the adversary.
Why is containment challenging?
Because defenders must be as complete as possible in identifying adversary activity, while considering the risk of allowing the adversary to persist until the full scope of the compromise can be determined.
What are containment activities?
Short-term mitigations to isolate threat actor activity and prevent additional damage from the activity or pivoting into other systems.
As part of containment activities, when isolating impacted systems and network segments from each other and/or from non-impacted systems and networks, what has to be considered?
The mission or business needs and how to provide services so missions can continue during this phase to the extent possible
As part of containment activities, what should be done to preserve evidence for legal use (if applicable) and further investigation of the incident?
Capturing forensic images.
As part of containment activities, what should be done to isolate the compromised system on the network level?
Configure a firewall rule.
As part of containment activities, what needs to be done if compromise is suspected?
- changing system admin passwords
- rotating private keys, API keys
- rotating service/application account secrets where
- revocation of certificates or privileged accesses
As part of containment activities, if SOC is advanced, where can be the directed to monitor the actor’s activity, gather additional evidence, and identify attack vectors?
Sandbox
What needs to be done, if new signs of compromise are found?
Return to the technical analysis step to rescope the incident.
What needs to be done to successfully contain an incident?
Ensure that the containment scope encompasses all related incidents and activity—especially all adversary activity
What needs to be done upon successful containment (i.e., no new signs of compromise)?
preserve evidence for reference or law enforcement investigation adjust detection tools move to eradication and recovery
What is the objective of Eradication & Recovery?
Allow the return of normal operations by eliminating artifacts of the incident (e.g., remove malicious code, re-image infected systems) and mitigating the vulnerabilities or other conditions that were exploited.
