Incident Response & Forensics

Question 1

Incident Management Program

Answer 1

Program consisting of the monitoring and detection of security events on a computer network and the execution of proper response to those security events

Question 2

Incident Response Team

Answer 2

• Incident Response Manager
• Security Analyst
• Triage Analyst
• Forensic Analyst
• Threat Researcher
• Cross-functional Support

Question 3

Out-of-Band Communication

Answer 3

Signals that are sent between two parties or two device that are sent via a path or method different from that of the primary communication between the two parties or devices

Question 4

journalctl

Answer 4

A Linux command line utility used for querying and displaying logs from journald, the systemd logging service on Linux

Question 5

nxlog

Answer 5

A multi-platform log management tool that helps to easily identify security risks, policy breaches or analyze operational problems in server logs, operation system logs and application logs

nxlog is a cross-platform, open-source tool that is similar to rsyslog or syslog-ng

Question 6

netflow

Answer 6

A network protocol system created by Cisco that collects active IP network traffic as it flows in or out of an interface, including its point of origin, destination, volume and paths on the network

Question 7

sflow

Answer 7

Short for “sampled flow”, it provides a means for exporting truncated packets, together with interface counters for the purpose of network monitoring

Only a portion of actual network traffic (not technically a flow)
Lower resource requirements
Usually embedded in the infrastructure
Relatively accurate statistics

Question 8

IPfix

Answer 8

Internet Protocol Flow Information Export:
Newer netflow-based standard (evolved from Netflow v9)
Flexible data support
Templates are used to describe data

IETF standardization for how IPflow information gets formatted and transferred from an exporter to a collector

Question 9

Forensic Procedures

Answer 9

Identification
Ensure the scene is safe, secure the scene to prevent evidence contamination, and identify the scope of evidence to be collected

Collection
Ensure authorization to collect evidence is obtained, and then document and prove the integrity of evidence as it is collected

Analysis
Create a copy of evidence for analysis and use repeatable methods and tools during analysis

Reporting
Create a report of the methods and tools used in the investigation and present detailed findings and conclusions based on the analysis

Legal Hold
A process designed to preserve all relevant information when litigation is reasonably expected to occur
A computer or server could be seized as evidence

Question 10

nmap

Answer 10

An open-source network scanner that is used to discover hosts and services on a computer network by sending packets and analyzing their responses

Question 11

hping

Answer 11

An open-source packet generator and analyzer for the TCP/IP protocol that is used for security auditing and testing of firewalls and networks

Send crafted frames
Modify all IP, TCP, UDP, & ICMP values

Question 12

netcat

Answer 12

Utility for reading from and writing to network connections using TCP or UDP which is a dependable back-end that can be used directly or easily driven by other programs and scripts

Can be used for Banner Grabbing; used for shell connections as well

Question 13

curl

Answer 13

A command line tool to transfer data to or from a server, using any of the supported protocols (HTTP, FTP, IMAP, POP3, SCP, SFTP, SMTP, TFTP, TELNET, LDAP or FILE)

Client URL
Retrieve data using a URL (web pages, FTP, emails, databases)
Grabs raw data (search, parse, automate)

Question 14

The Harvester

Answer 14

A python script that is used to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN database

Gather OSINT
Scrape info from Google/Bing
List people on LinkedIn
DNS brute force
VPN, chat, mail

Question 15

sn1per

Answer 15

An automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities across a network

Combines many recon tools into a single framework
Dnsenum, metasploit, nmap, theHarvester, & more
Both non-intrusive and very intrusive scanning options
Another tool that can cause problems (brute force, server scanning)

Question 16

scanless

Answer 16

Utility that is used to create an exploitation website that can perform open port scans in a more stealth-like manner

Stealth because you will appear as the web server, and not yourself

Question 17

dnsenum

Answer 17

Utility that is used for DNS enumeration to locate all DNS servers and DNS entries for a given organization

Question 18

Nessus

Answer 18

A proprietary vulnerability scanner that can remotely scan a computer or network for vulnerabilities

Question 19

Cuckoo

Answer 19

An open source software for automating analysis of suspicious files

A sandbox for malware
A virtualized environment (Windows/Linux/macOS/Android)
Track & trace
API calls, network traffic, memory analysis

Question 20

head

Answer 20

A command-line utility for outputting the first ten lines of a file provided to it

Question 21

tail

Answer 21

A command-line utility for outputting the last ten lines of a file provided to it

Question 22

cat

Answer 22

A command-line utility for outputting the contents of a file to the screen

Question 23

grep

Answer 23

A command-line utility for searching plain-text data sets for lines that match a regular expression or pattern

Question 24

logger

Answer 24

Utility that provides an easy way to add messages to the /var/log/syslog file from the command line or from other files

Question 25

OpenSSL

Answer 25

A software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end ``` A toolkit & crypto library for SSL/TLS Create X.509 certificates Manage CSRs and CRLs Message digests Encryption/decryption ```

Question 26

tcpdump

Answer 26

A command line utility that allows you to capture and analyze network traffic going through your system

Question 27

tcpreplay

Answer 27

A suite of free open source utilities for editing and replaying previously captured network traffic Test security devices Check IPS signatures & firewall rules Test & tune IPflow/NetFlow devices Send hundreds of thousands of traffic flows per second Evaluate the performance of security devices Test throughput & flows per second

Question 28

Wireshark

Answer 28

A popular network analysis tool to capture network packets and display them at a granular level for real-time or offline analysis

Question 29

FTK Imager

Answer 29

A data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool is needed

Question 30

Memdump

Answer 30

A command line utility used to dump system memory to the standard output stream by skipping over holes in memory maps

Question 31

WinHex

Answer 31

A commercial disk editor and universal hexadecimal editor used for data recovery and digital forensics

Question 32

Autopsy

Answer 32

A digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools Extract many different data times Downloads, browser cache/history, emails, databases, etc

Question 33

Metasploit (MSF)

Answer 33

A computer security tool that offers information about software vulnerabilities, IDS signature development, and improves penetration testing

Question 34

BeEF

Answer 34

Browser Exploitation Framework: A tool that can hook one or more browsers and can use them as a beachhead of launching various direct commands and further attacks against the system from within the browser context

Question 35

Cain & Abel

Answer 35

A password recovery tool that can be used through sniffing the network, cracking encrypted passwords using dictionary, brute-force, and cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, and analyzing routing protocols

Question 36

John the Ripper

Answer 36

An open source password security auditing and password recovery tool available for many operating systems

Question 37

Incident Response Process

Answer 37

``` Preparation Identification Containment Eradication Recovery Lesson Learned ```

Question 38

Exercises: Tabletop

Answer 38

Talking through a drill occurring instead of physically acting it out Talk through a simulated disaster

Question 39

Exercises: Walkthrough

Answer 39

Include responders (a step beyond a tabletop exercise) Test processes/procedures before an event Walk through each step Involve all groups Reference actual response materials

Question 40

Exercises: Simulations

Answer 40

Testing a simulated event Example: Phishing Create a phishing email attack for your organization and see who falls for it If someone fell for it, they need additional training

Question 41

Stakeholder Management

Answer 41

Keeping an ongoing relationship with IT customers (internal/external) IT would not exist without the stakeholder Most of this happens prior to an incident & continues after

Question 42

COOP

Answer 42

Continuity of Operations Planning: An alternative in case technology fails Manual transactions, paper receipts, phone calls for transaction approvals

Question 43

Retention Policies

Answer 43

Backup your data (how much? where?) Lifecycle of data, purging old data Regulatory compliance A certain amount of data backup may be required Differentiate by type & application

Question 44

Recording Time Offsets

Answer 44

The time zone determines how time is displayed Document local device settings Different file systems use different timestamp formats Record the time offset form the OS

Question 45

Order of Volatility

Answer 45

``` (From most to least volatile) CPU registers, CPU cache Router table, ARP cache, process table, kernel stats, memory Temporary file systems Disk Remote logging & monitoring data Physical configuration, network topology Archival media ```

Question 46

Checksums

Answer 46

Protect against accidental changes during transmission Simple integrity check Not designed to replace a hash

Question 47

Provenance

Answer 47

Documentation of authenticity Chain of custody for data handling Blockchain tech

Question 48

E-Discovery

Answer 48

Collect, prepare, review, interpret, & produce electronic documents Gathering details & providing to legal authorities Works together with digital forensics

Question 49

Non-Repudiation

Answer 49

Proof of data integrity & origin You said it (or did it), you can’t deny it MAC (Message Authentication Code) Two parties verify non-repudiation Digital signature (non-repudiation is publicly verified)