Incident Response & Forensics Flashcards
Incident Management Program
Program consisting of the monitoring and detection of security events on a computer network and the execution of proper response to those security events
Incident Response Team
- Incident Response Manager
- Security Analyst
- Triage Analyst
- Forensic Analyst
- Threat Researcher
- Cross-functional Support
Out-of-Band Communication
Signals that are sent between two parties or two device that are sent via a path or method different from that of the primary communication between the two parties or devices
journalctl
A Linux command line utility used for querying and displaying logs from journald, the systemd logging service on Linux
nxlog
A multi-platform log management tool that helps to easily identify security risks, policy breaches or analyze operational problems in server logs, operation system logs and application logs
nxlog is a cross-platform, open-source tool that is similar to rsyslog or syslog-ng
netflow
A network protocol system created by Cisco that collects active IP network traffic as it flows in or out of an interface, including its point of origin, destination, volume and paths on the network
sflow
Short for “sampled flow”, it provides a means for exporting truncated packets, together with interface counters for the purpose of network monitoring
Only a portion of actual network traffic (not technically a flow)
Lower resource requirements
Usually embedded in the infrastructure
Relatively accurate statistics
IPfix
Internet Protocol Flow Information Export:
Newer netflow-based standard (evolved from Netflow v9)
Flexible data support
Templates are used to describe data
IETF standardization for how IPflow information gets formatted and transferred from an exporter to a collector
Forensic Procedures
Identification
Ensure the scene is safe, secure the scene to prevent evidence contamination, and identify the scope of evidence to be collected
Collection
Ensure authorization to collect evidence is obtained, and then document and prove the integrity of evidence as it is collected
Analysis
Create a copy of evidence for analysis and use repeatable methods and tools during analysis
Reporting
Create a report of the methods and tools used in the investigation and present detailed findings and conclusions based on the analysis
Legal Hold
A process designed to preserve all relevant information when litigation is reasonably expected to occur
A computer or server could be seized as evidence
nmap
An open-source network scanner that is used to discover hosts and services on a computer network by sending packets and analyzing their responses
hping
An open-source packet generator and analyzer for the TCP/IP protocol that is used for security auditing and testing of firewalls and networks
Send crafted frames
Modify all IP, TCP, UDP, & ICMP values
netcat
Utility for reading from and writing to network connections using TCP or UDP which is a dependable back-end that can be used directly or easily driven by other programs and scripts
Can be used for Banner Grabbing; used for shell connections as well
curl
A command line tool to transfer data to or from a server, using any of the supported protocols (HTTP, FTP, IMAP, POP3, SCP, SFTP, SMTP, TFTP, TELNET, LDAP or FILE)
Client URL
Retrieve data using a URL (web pages, FTP, emails, databases)
Grabs raw data (search, parse, automate)
The Harvester
A python script that is used to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN database
Gather OSINT Scrape info from Google/Bing List people on LinkedIn DNS brute force VPN, chat, mail
sn1per
An automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities across a network
Combines many recon tools into a single framework
Dnsenum, metasploit, nmap, theHarvester, & more
Both non-intrusive and very intrusive scanning options
Another tool that can cause problems (brute force, server scanning)
scanless
Utility that is used to create an exploitation website that can perform open port scans in a more stealth-like manner
Stealth because you will appear as the web server, and not yourself
dnsenum
Utility that is used for DNS enumeration to locate all DNS servers and DNS entries for a given organization
Nessus
A proprietary vulnerability scanner that can remotely scan a computer or network for vulnerabilities
Cuckoo
An open source software for automating analysis of suspicious files
A sandbox for malware
A virtualized environment (Windows/Linux/macOS/Android)
Track & trace
API calls, network traffic, memory analysis
head
A command-line utility for outputting the first ten lines of a file provided to it
tail
A command-line utility for outputting the last ten lines of a file provided to it
cat
A command-line utility for outputting the contents of a file to the screen
grep
A command-line utility for searching plain-text data sets for lines that match a regular expression or pattern
logger
Utility that provides an easy way to add messages to the /var/log/syslog file from the command line or from other files
OpenSSL
A software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end
A toolkit & crypto library for SSL/TLS Create X.509 certificates Manage CSRs and CRLs Message digests Encryption/decryption
tcpdump
A command line utility that allows you to capture and analyze network traffic going through your system
tcpreplay
A suite of free open source utilities for editing and replaying previously captured network traffic
Test security devices
Check IPS signatures & firewall rules
Test & tune IPflow/NetFlow devices
Send hundreds of thousands of traffic flows per second
Evaluate the performance of security devices
Test throughput & flows per second
Wireshark
A popular network analysis tool to capture network packets and display them at a granular level for real-time or offline analysis
FTK Imager
A data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool is needed
Memdump
A command line utility used to dump system memory to the standard output stream by skipping over holes in memory maps
WinHex
A commercial disk editor and universal hexadecimal editor used for data recovery and digital forensics
Autopsy
A digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools
Extract many different data times
Downloads, browser cache/history, emails, databases, etc
Metasploit (MSF)
A computer security tool that offers information about software vulnerabilities, IDS signature development, and improves penetration testing
BeEF
Browser Exploitation Framework:
A tool that can hook one or more browsers and can use them as a beachhead of launching various direct commands and further attacks against the system from within the browser context
Cain & Abel
A password recovery tool that can be used through sniffing the network, cracking encrypted passwords using dictionary, brute-force, and cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, and analyzing routing protocols
John the Ripper
An open source password security auditing and password recovery tool available for many operating systems
Incident Response Process
Preparation Identification Containment Eradication Recovery Lesson Learned
Exercises: Tabletop
Talking through a drill occurring instead of physically acting it out
Talk through a simulated disaster
Exercises: Walkthrough
Include responders (a step beyond a tabletop exercise)
Test processes/procedures before an event
Walk through each step
Involve all groups
Reference actual response materials
Exercises: Simulations
Testing a simulated event
Example: Phishing
Create a phishing email attack for your organization and see who falls for it
If someone fell for it, they need additional training
Stakeholder Management
Keeping an ongoing relationship with IT customers (internal/external)
IT would not exist without the stakeholder
Most of this happens prior to an incident & continues after
COOP
Continuity of Operations Planning:
An alternative in case technology fails
Manual transactions, paper receipts, phone calls for transaction approvals
Retention Policies
Backup your data (how much? where?)
Lifecycle of data, purging old data
Regulatory compliance
A certain amount of data backup may be required
Differentiate by type & application
Recording Time Offsets
The time zone determines how time is displayed
Document local device settings
Different file systems use different timestamp formats
Record the time offset form the OS
Order of Volatility
(From most to least volatile) CPU registers, CPU cache Router table, ARP cache, process table, kernel stats, memory Temporary file systems Disk Remote logging & monitoring data Physical configuration, network topology Archival media
Checksums
Protect against accidental changes during transmission
Simple integrity check
Not designed to replace a hash
Provenance
Documentation of authenticity
Chain of custody for data handling
Blockchain tech
E-Discovery
Collect, prepare, review, interpret, & produce electronic documents
Gathering details & providing to legal authorities
Works together with digital forensics
Non-Repudiation
Proof of data integrity & origin
You said it (or did it), you can’t deny it
MAC (Message Authentication Code)
Two parties verify non-repudiation
Digital signature (non-repudiation is publicly verified)
