Incident Response

Question 1

What can initiate incident response? (6)

Answer 1

1. Automated detection systems or sensor alerts
2. Company user report
3. Contractor or third-party ICT service provider report
4. Internal or external organizational component incident report or situational awareness update
5. Third-party reporting of network activity to known compromised infrastructure, detection of malicious code, loss of services, etc.
6. Analytics or hunt teams that identify potentially malicious or otherwise unauthorized activity

Question 2

What do preparation activities include? (5)

Answer 2

1. Documenting and understanding policies and procedures for incident response
2. Configuring the environment to detect suspicious and malicious activity
3. Establishing staffing plans
4. Educating users on cyber threats and notification procedures
5. Leveraging cyber threat intelligence (CTI) to proactively identify potential malicious activity

Question 3

Why is it important to define baselines (systems and networks) before an incident occurs?

Answer 3

To understand the basics of “normal” activity

Question 4

To be able to ensure resilient architectures and systems to maintain critical operations in a compromised state, what preparation activities should be included? (3)

Answer 4

1. Having infrastructure in place to handle complex incidents, including classified and out-of-band communications
2. Developing and testing courses of action (COAs) for containment and eradication
3. Establishing means for collecting digital forensics and other data or evidence

Question 5

As part of preparation activities, what needs to be done in terms of policies and procedures? (3)

Answer 5

1. Document incident response plans, including processes and procedures for designating a coordination lead (incident manager).
2. Put policies and procedures in place to escalate and report major incidents and those with impact on the agency’s mission.
3. Document contingency plans for additional resourcing and “surge support” with assigned roles and responsibilities

Question 6

What should policies address in terms of law enforcement? (3)

Answer 6

1. notification
2. interaction
3. evidence sharing

Question 7

What sources should be leveraged for cyber threat intelligence? (4)

Answer 7

1. government
2. trusted partners
3. open source
4. commercial entities

Question 8

What includes threat indicators? (3)

Answer 8

1. Atomic indicators, such as domains and IP addresses, that can detect adversary infrastructure and tools
2. Computed indicators, such as Yara rules and regular expressions, that detect known malicious artifacts or signs of activity
3. Patterns and behaviors, such as analytics that detect adversary tactics, techniques, and procedures (TTPs)

Question 9

What is the problem of atomic indicators?

Answer 9

Adversaries often change their infrastructure (e.g., watering holes, botnets, C2 servers) between campaigns, the “shelf-life” of atomic indicators to detect new adversary activity is limited. They might also switch to new infrastructure during a campaign when their activities are detected.

Question 10

What should businesses use to identify malicious activity when possible?

Answer 10

Patterns and behaviors, or adversary TTPs, as TTPs provide more useful and sustainable context about threat actors, their intentions, and their methods rather than atomic indicators alone.

Question 11

What is active defense?

Answer 11

Ability to redirect an adversary to a sandbox or honeynet system for additional study, or “dark nets”—to delay the ability of an adversary to discover the agency’s legitimate infrastructure.

Question 12

What can be implemented to enable defenders to study the adversary’s behavior and TTPs and thereby build a full picture of adversary capabilities?

Answer 12

Honeytokens (fictitious data objects) and fake accounts.

Question 13

What has to be established to be able to share information between the incident handlers?

Answer 13

Communication channels (chat rooms, phone bridges) and method for out-of-band coordination.

Question 14

Measures should be taken to ensure that IR and defensive systems and processes will be operational during an attack, particularly in the event of pervasive compromises—such as a ransomware attack or one involving an aggressive attacker that may attempt to undermine defensive measures and distract or mislead defenders. What are those measures? (5)

Answer 14

1. Segmenting and managing SOC systems separately from the broader enterprise IT systems.
2. Managing sensors and security devices via out-of-band means.
3. Notifying users of compromised systems via phone rather than email.
4. Using hardened workstations to conduct monitoring and response activities
5. Ensuring that defensive systems have robust backup and recovery processes.

Question 15

What should be done to void “tipping off” an attacker? (3)

Answer 15

1. Have processes and systems to reduce the likelihood of detection of IR activities
2. Do not submit malware samples to a public analysis service.
3. Do not notify users of potentially comprised machines via email

Question 16

What capabilities should be implemented in terms of technical infrastructure? (2)

Answer 16

1. Capabilities to contain, replicate, analyze, reconstitute, and document compromised hosts
2. Capability to collect digital forensics and other data

Question 17

What needs to be established for incident data and reporting sharing?

Answer 17

Secure storage that is only accessible by incident responders

Question 18

What means need to be ready for collecting forensic evidence? (3)

Answer 18

1. disk and active memory imaging
2. safely handling malware
3. analysis tools and sandbox software for analyzing malware

Question 19

What information should a ticket contain? (5)

Answer 19

1. Anomalous or suspicious activity, such as affected systems, applications, and users
2. Activity type
3. Specific threat group(s)
4. Adversary tactics, techniques, and procedures (TTPs) employed
5. Impact

Question 20

What should be leveraged to create rules and signatures to identify the activity associated with the incident and to scope its reach?

Answer 20

Threat intelligence

Question 21

What is often the most challenging aspect of the incident response process?

Answer 21

Accurately detecting and assessing cybersecurity incidents - incident triage.

Question 22

What activities are part of incident triage? (4)

Answer 22

1. Determining whether an incident has occurred
2. Determining the type of incident
3. Determining the extend of the incident
4. Determining the magnitude of the compromise (within cloud, OT, hybrid, host, and network systems)

Question 23

When detrmining the scope of the incident, available data needs to be leveraged to identify what? (3)

Answer 23

1. The extent to which assets have been affected
2. The level of privilege attained by the adversary
3. The operational or informational impact

Question 24

What needs to be inspected to discover malicious activity? (3)

Answer 24

1. The trail of network data
2. Host-based artifacts
3. Firewall (and other network devices) logs along with other network data, such as router traffic

Question 25

Data need to be collected and preserved for which activities? (6)

Answer 25

1. Incident verification
2. Categorization
3. Prioritization
4. Mitigation
5. Reporting
6. Attribution

Question 26

What needs to be done when an endpoint requires forensic analysis?

Answer 26

Capture a memory and disk image for evidence preservation.

Question 27

What needs to be done when performing a technical analysis of the incident? The goal this analysis is to examine the breadth of data sources throughout the environment to discover at least some part of an attack chain, if not all of it. (3)

Answer 27

1. Develop a technical and contextual understanding of the incident
2. Correlate information, assess anomalous activity against a known baseline to determine root cause
3. Document adversary TTPs to enable prioritization of the subsequent response activities

Question 28

What needs to be done to allow the team to account for all adversary activity on the network that will assist in creating the findings report at the conclusion of the response? (2)

Answer 28

1. Thoroughly document every step taken during this and subsequent phases.
2. Create a timeline of all relevant findings

Question 29

When are indicators as standalone artifacts most valuable?

Answer 29

In the early stages of incident response, as they provide insight into the adversary’s capabilities and infrastructure

Question 30

What does responding to TTPs enables defenders to do?

Answer 30

Hypothesize the adversary’s most likely course of action

Question 31

What adversaries often use once they gain a foothold in an environment to avoid detection?

Answer 31

Leverage legitimate native operating system utilities and scripting languages

Question 32

What should be done to identify anomalous activity?

Answer 32

Assess and profile affected systems and networks for subtle activity that might be adversary behavior
Enables the team to identify deviations from the established baseline activity and can be particularly important in identifying activities such as attempts to leverage legitimate credentials and
native capabilities in the environment.

Question 33

What informs the triage and post-incident activity?

Answer 33

Identification of the conditions that enabled the adversary to access and operate within the environment.

Question 34

What should be the gathered TTPs compared to?

Answer 34

TTPs documented in ATT&CK, which should help to analyze how the TTPs fit into the attack lifecycle

Question 35

What do Tactics from TTP describe?

Answer 35

Tactics describe the technical objective an adversary is trying to achieve (“why”)

Question 36

What do Techniques from TTP describe?

Answer 36

Different mechanisms adversaries use to achieve it (“what”)

Question 37

What do Procedures from TTP describe?

Answer 37

How the adversary achieves a specific result (“how”).

Question 38

What needs to be done during an incident, as information evolves?

Answer 38

Update and communicate the scope to all stakeholders to ensure a common operating picture.

Question 39

What does the IR team need to use to modify tools to slow the pace of the adversarial advance and increase the likelihood of detection?

Answer 39

Its developing understanding of the adversary’s TTPs

Question 40

What role should the IOC signatures play in the prevention and detection tools?

Answer 40

1. Impose temporary operational cost upon the adversary
2. Assist with scoping the incident

Question 41

What can an adversary do to subvert IOC-centric response mechanisms?

Answer 41

Introduce new tools to the network and/or modify existing tools

Question 42

What questions should be asked during the Detection & Analysis phase? (10)

Answer 42

1. What was the initial attack vector? (i.e., How did the adversary gain initial access to the network?)
2. How is the adversary accessing the environment?
3. Is the adversary exploiting vulnerabilities to achieve access or privilege?
4. How is the adversary maintaining command and control?
5. Does the actor have persistence on the network or device?
6. What is the method of persistence (e.g., malware backdoor, webshell, legitimate credentials, remote tools, etc.)?
7. What accounts have been compromised and what privilege level (e.g., domain admin, local admin, user account, etc.)?
8. What method is being used for reconnaissance? (Discovering the reconnaissance method may provide an opportunity for detection and to determine possible intent.)
9. Is lateral movement suspected or known? How is lateral movement conducted (e.g., RDP, network shares, malware, etc.)?
10. Has data been exfiltrated and, if so, what kind and via what mechanism?

Question 43

What is the objective of containment?

Answer 43

Prevent further damage and reduce the immediate impact of the incident by removing the adversary’s access.

Question 44

What drives the type of containment strategy used?

Answer 44

The particular scenario. The containment approach to an
active sophisticated adversary using fileless malware will be different than the containment approach for ransomware.

Question 45

When evaluating containment courses of action, what should be considered? (3)

Answer 45

1. Any additional adverse impacts to mission operations, availability of services (e.g., network connectivity, services provided to external parties)
2. Duration of the containment process, resources needed, and effectiveness (e.g., full vs. partial containment; full vs. unknown level of containment)
3. Any impact on the collection, preservation, securing, and documentation of evidence

Question 46

Why should defenders develop as complete a picture as possible of the attacker’s capabilities and potential reactions?

Answer 46

To avoid “tipping off” the adversary.

Question 47

Why is containment challenging?

Answer 47

Because defenders must be as complete as possible in identifying adversary activity, while considering the risk of allowing the adversary to persist until the full scope of the compromise can be determined.

Question 48

What are containment activities?

Answer 48

Short-term mitigations to isolate threat actor activity and prevent additional damage from the activity or pivoting into other systems.

Question 49

As part of containment activities, when isolating impacted systems and network segments from each other and/or from non-impacted systems and networks, what has to be considered?

Answer 49

The mission or business needs and how to provide services so missions can continue during this phase to the extent possible

Question 50

As part of containment activities, what should be done to preserve evidence for legal use (if applicable) and further investigation of the incident?

Answer 50

Capturing forensic images.

Question 51

As part of containment activities, what should be done to isolate the compromised system on the network level?

Answer 51

Configure a firewall rule.

Question 52

As part of containment activities, what needs to be done if compromise is suspected?

Answer 52

1. changing system admin passwords
2. rotating private keys, API keys
3. rotating service/application account secrets where
4. revocation of certificates or privileged accesses

Question 53

As part of containment activities, if SOC is advanced, where can be the directed to monitor the actor’s activity, gather additional evidence, and identify attack vectors?

Answer 53

Sandbox

Question 54

What needs to be done, if new signs of compromise are found?

Answer 54

Return to the technical analysis step to rescope the incident.

Question 55

What needs to be done to successfully contain an incident?

Answer 55

Ensure that the containment scope encompasses all related incidents and activity—especially all adversary activity

Question 56

What needs to be done upon successful containment (i.e., no new signs of compromise)?

Answer 56

preserve evidence for reference or law enforcement investigation adjust detection tools move to eradication and recovery

Question 56

What is the objective of Eradication & Recovery?

Answer 56

Allow the return of normal operations by eliminating artifacts of the incident (e.g., remove malicious code, re-image infected systems) and mitigating the vulnerabilities or other conditions that were exploited.