Incident Response & Forensics Flashcards

1
Q

Incident Management Program

A

Program consisting of the monitoring and detection of security events on a computer network and the execution of proper response to those security events

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Incident Response Team

A
  • Incident Response Manager
  • Security Analyst
  • Triage Analyst
  • Forensic Analyst
  • Threat Researcher
  • Cross-functional Support
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Out-of-Band Communication

A

Signals that are sent between two parties or two device that are sent via a path or method different from that of the primary communication between the two parties or devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

journalctl

A

A Linux command line utility used for querying and displaying logs from journald, the systemd logging service on Linux

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

nxlog

A

A multi-platform log management tool that helps to easily identify security risks, policy breaches or analyze operational problems in server logs, operation system logs and application logs

nxlog is a cross-platform, open-source tool that is similar to rsyslog or syslog-ng

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

netflow

A

A network protocol system created by Cisco that collects active IP network traffic as it flows in or out of an interface, including its point of origin, destination, volume and paths on the network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

sflow

A

Short for “sampled flow”, it provides a means for exporting truncated packets, together with interface counters for the purpose of network monitoring

Only a portion of actual network traffic (not technically a flow)
Lower resource requirements
Usually embedded in the infrastructure
Relatively accurate statistics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

IPfix

A

Internet Protocol Flow Information Export:
Newer netflow-based standard (evolved from Netflow v9)
Flexible data support
Templates are used to describe data

IETF standardization for how IPflow information gets formatted and transferred from an exporter to a collector

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Forensic Procedures

A

Identification
Ensure the scene is safe, secure the scene to prevent evidence contamination, and identify the scope of evidence to be collected

Collection
Ensure authorization to collect evidence is obtained, and then document and prove the integrity of evidence as it is collected

Analysis
Create a copy of evidence for analysis and use repeatable methods and tools during analysis

Reporting
Create a report of the methods and tools used in the investigation and present detailed findings and conclusions based on the analysis

Legal Hold
A process designed to preserve all relevant information when litigation is reasonably expected to occur
A computer or server could be seized as evidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

nmap

A

An open-source network scanner that is used to discover hosts and services on a computer network by sending packets and analyzing their responses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

hping

A

An open-source packet generator and analyzer for the TCP/IP protocol that is used for security auditing and testing of firewalls and networks

Send crafted frames
Modify all IP, TCP, UDP, & ICMP values

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

netcat

A

Utility for reading from and writing to network connections using TCP or UDP which is a dependable back-end that can be used directly or easily driven by other programs and scripts

Can be used for Banner Grabbing; used for shell connections as well

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

curl

A

A command line tool to transfer data to or from a server, using any of the supported protocols (HTTP, FTP, IMAP, POP3, SCP, SFTP, SMTP, TFTP, TELNET, LDAP or FILE)

Client URL
Retrieve data using a URL (web pages, FTP, emails, databases)
Grabs raw data (search, parse, automate)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The Harvester

A

A python script that is used to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN database

Gather OSINT
Scrape info from Google/Bing
List people on LinkedIn
DNS brute force
VPN, chat, mail
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

sn1per

A

An automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities across a network

Combines many recon tools into a single framework
Dnsenum, metasploit, nmap, theHarvester, & more
Both non-intrusive and very intrusive scanning options
Another tool that can cause problems (brute force, server scanning)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

scanless

A

Utility that is used to create an exploitation website that can perform open port scans in a more stealth-like manner

Stealth because you will appear as the web server, and not yourself

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

dnsenum

A

Utility that is used for DNS enumeration to locate all DNS servers and DNS entries for a given organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Nessus

A

A proprietary vulnerability scanner that can remotely scan a computer or network for vulnerabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Cuckoo

A

An open source software for automating analysis of suspicious files

A sandbox for malware
A virtualized environment (Windows/Linux/macOS/Android)
Track & trace
API calls, network traffic, memory analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

head

A

A command-line utility for outputting the first ten lines of a file provided to it

21
Q

tail

A

A command-line utility for outputting the last ten lines of a file provided to it

22
Q

cat

A

A command-line utility for outputting the contents of a file to the screen

23
Q

grep

A

A command-line utility for searching plain-text data sets for lines that match a regular expression or pattern

24
Q

logger

A

Utility that provides an easy way to add messages to the /var/log/syslog file from the command line or from other files

25
OpenSSL
A software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end ``` A toolkit & crypto library for SSL/TLS Create X.509 certificates Manage CSRs and CRLs Message digests Encryption/decryption ```
26
tcpdump
A command line utility that allows you to capture and analyze network traffic going through your system
27
tcpreplay
A suite of free open source utilities for editing and replaying previously captured network traffic Test security devices Check IPS signatures & firewall rules Test & tune IPflow/NetFlow devices Send hundreds of thousands of traffic flows per second Evaluate the performance of security devices Test throughput & flows per second
28
Wireshark
A popular network analysis tool to capture network packets and display them at a granular level for real-time or offline analysis
29
FTK Imager
A data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool is needed
30
Memdump
A command line utility used to dump system memory to the standard output stream by skipping over holes in memory maps
31
WinHex
A commercial disk editor and universal hexadecimal editor used for data recovery and digital forensics
32
Autopsy
A digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools Extract many different data times Downloads, browser cache/history, emails, databases, etc
33
Metasploit (MSF)
A computer security tool that offers information about software vulnerabilities, IDS signature development, and improves penetration testing
34
BeEF
Browser Exploitation Framework: A tool that can hook one or more browsers and can use them as a beachhead of launching various direct commands and further attacks against the system from within the browser context
35
Cain & Abel
A password recovery tool that can be used through sniffing the network, cracking encrypted passwords using dictionary, brute-force, and cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, and analyzing routing protocols
36
John the Ripper
An open source password security auditing and password recovery tool available for many operating systems
37
Incident Response Process
``` Preparation Identification Containment Eradication Recovery Lesson Learned ```
38
Exercises: Tabletop
Talking through a drill occurring instead of physically acting it out Talk through a simulated disaster
39
Exercises: Walkthrough
Include responders (a step beyond a tabletop exercise) Test processes/procedures before an event Walk through each step Involve all groups Reference actual response materials
40
Exercises: Simulations
Testing a simulated event Example: Phishing Create a phishing email attack for your organization and see who falls for it If someone fell for it, they need additional training
41
Stakeholder Management
Keeping an ongoing relationship with IT customers (internal/external) IT would not exist without the stakeholder Most of this happens prior to an incident & continues after
42
COOP
Continuity of Operations Planning: An alternative in case technology fails Manual transactions, paper receipts, phone calls for transaction approvals
43
Retention Policies
Backup your data (how much? where?) Lifecycle of data, purging old data Regulatory compliance A certain amount of data backup may be required Differentiate by type & application
44
Recording Time Offsets
The time zone determines how time is displayed Document local device settings Different file systems use different timestamp formats Record the time offset form the OS
45
Order of Volatility
``` (From most to least volatile) CPU registers, CPU cache Router table, ARP cache, process table, kernel stats, memory Temporary file systems Disk Remote logging & monitoring data Physical configuration, network topology Archival media ```
46
Checksums
Protect against accidental changes during transmission Simple integrity check Not designed to replace a hash
47
Provenance
Documentation of authenticity Chain of custody for data handling Blockchain tech
48
E-Discovery
Collect, prepare, review, interpret, & produce electronic documents Gathering details & providing to legal authorities Works together with digital forensics
49
Non-Repudiation
Proof of data integrity & origin You said it (or did it), you can’t deny it MAC (Message Authentication Code) Two parties verify non-repudiation Digital signature (non-repudiation is publicly verified)