LDR 551- Book 4 Flashcards
What is the Internet Storm Center?
Internet’s early warning system
What are the four key elements of incident response preparation according to Brown and Roberts?
Telemetry, hardening, process, practice
Why is visibility foundational in incident response?
It’s essential for investigation and response activities.
What helps prioritize response efforts in incident response?
Analytics, key assets, users, and contextual information
Why is having solid process documentation important in incident response?
Prevents figuring out procedures on the go.
What is often the most overlooked part of incident response?
Practice
What must incident response tools, services, and skillsets meet?
Requirements of the environment and constituency
What informs incident response staffing strategy?
Incident response goals
What is essential for effective incident response teamwork?
Strong interpersonal relationships and good communications
What should your SOC consider for each device type and location?
Readiness for different incident scenarios
What is a main consideration for SOC planning?
Scenarios the SOC is willing and capable of responding to
What is a key aspect of prevention as preparation?
Preparing infrastructure to resist intrusion
What are CIS benchmarks?
Best practices for secure configurations
What are the two levels of CIS security settings?
Level 1 and Level 2
What does Level 1 security setting aim to achieve?
Basic security with little impact on functionality
What does Level 2 security setting aim to achieve?
Greater security but may reduce functionality
What are CIS hardened images?
Securely configured virtual machine images
What is NIST SP 800-123?
Guide to General Server Security
What is the purpose of the NIST National Checklist Program?
Provides a searchable index of hardening guides
What are DISA STIGs?
Step-by-step checklists for locking down systems
What is the Australian Signals Directorate known for?
Detailed system configuration guides
What are the CIS Controls?
Prioritized actions for defense against attacks
How are CIS Controls organized?
By activities, not by who manages devices
What should you understand about your environment for effective security?
Normal operations in networks, hosts, applications, users
What is a good exercise for incident response preparation?
Trace “control” events through existing telemetry
What are the three components of incident response governance?
Policy, Plan, Procedure
What are the three foundational documents for incident response?
Policy, plan, and procedure
What is the purpose of the incident response policy?
High-level direction setting document
What does the incident response plan define?
Mission, strategies, and goals of the team
What are the phases of incident response according to NIST SP 800-61r2?
Preparation, Detection and Analysis, Containment, Eradication and Recovery, Post-Incident Activity
What should the incident response procedure include?
Technical processes, checklists, forms, templates, roles, responsibilities
What are the common IR team structures?
Centralized, Distributed, Coordinating
What is a coordinating team?
Provides help to other teams with higher authority.
Which team format is ideal for large organizations with in-house capabilities and a full SOC?
Distributed Team
What is the advantage of distributed teams?
Fastest response times.
Which SOC model is suitable for smaller, geographically bounded organizations?
Single centralized SOC model
In what scenario is a coordinating SOC commonly found?
Government scenarios with multiple authority levels.
What factors should be considered when selecting an IR team type?
Expected workload, team size, budget, expertise, availability.
What is the simplest staffing model for incident response?
Full in-house set of employees.
When might a partially outsourced IR capability be chosen?
Small budget or rare large incidents.
What is a key benefit of partially outsourcing IR capabilities?
Reduces costs for rarely needed specialties.
Why might a small business fully outsource its IR capabilities?
Lack of staff or in-house experience.
What is a hybrid partial outsourcing model used for?
To help stand up a new IR team.
What is crucial for effective incident response in multi-team systems?
Technical and social processes.
What role does a SOC lead play in communication during an incident?
Ensures direction and shields team from distractions.
What did the 2016 study on incident response emphasize?
Integration of technical and social processes.
What are common social failings in incident response teams?
Poor communication and collaboration.
What can help minimize communication failures during an incident?
Communications charters, plans, protocols.
What is the difference between taskwork and teamwork?
Taskwork is goal-related; teamwork is for coherence.
What must leadership coordinate in multi-team systems?
Teamwork and taskwork activities.
What is required for effective incident response?
Multiple teams and individuals working together
What drives incident response outcomes?
Taskwork-driven results and outcomes
Why is teamwork necessary in incident response?
To accomplish taskwork sustainably and repeatably
What happens without effective teamwork in incident response?
Too much variance and reliance on key individuals
What should incident response plans and training focus on?
Ensuring teams can work together effectively
What is the superordinate goal in an MTS Goal Hierarchy?
Protect Value Generation
What are the three main goals in incident response?
Identify, contain, eradicate threats; recover systems and data
What makes incident response inherently chaotic?
Requires many teams to work together across boundaries
What is a challenge if SOC team isn’t wholly responsible for incident response?
Conceptualizing ownership of functions
What did Mark Orlando and Dr. Daniel Shore discuss in their Black Hat Europe 2022 talk?
Increasing efficiency in incident response
What is the purpose of an MTS Goal Hierarchy Diagram?
Map out functions contributing to incident response goals
What is a precursor to documenting roles and responsibilities in incident response?
Creating MTS Goal Hierarchy diagrams
What does an MTS Interaction Diagram help understand?
Relationships needing attention in procedures and plans
What can an MTS Interaction Diagram be used as?
Diagnostic for team interactions
Why is there a very high level of interaction between the Watch and Engineering Teams?
Engineering supports containment and recovery tasks
What should be done given the high interaction level between Watch and Engineering Teams?
Involve Engineering in preparation and training
What is the key distinction between incident response and incident management?
Incident response focuses on technical activities; incident management on business risk
When do incident response activities generally end?
When impacted systems and data are restored
What do technical tasks rarely address?
Mitigation or remediation of business risk
What does incident management (IM) address?
Business issues during an organizational crisis
Who supports the IM process?
Cross-functional group of stakeholders
When is an IM process typically initiated?
During incidents rising to an organizational crisis
What might a ransomware incident require?
Negotiation, law enforcement coordination, third-party experts
What should your incident response plan reference?
The IM process and key stakeholders
What are foundational elements of IR capability?
Incident response governance, staffing models, infrastructure hardening
What does incident response require as a multi-team effort?
Deliberate and effective teamwork
What may not be enough during an organizational crisis?
Existing IR plans, policies, and procedures
When is an incident identified?
When there is measurable/observable impact
What is a common characteristic of incident activities?
Evidence demonstrating negative or impending impact
What is important for incident detection?
High fidelity detections
What should be assigned once an incident is declared?
Incident handler/lead
What might the incident handler decide at the response stage?
Deeper forensic data collection
Role of the IR Lead
Facilitates communication, collaboration, and task management
Qualifications of an IR Lead
Experienced with IR best practices and decision-making
Primary Responsibilities of IR Lead
Serve as primary source of truth, establish communication channels
Who are Subject Matter Experts?
SOC analysts, engineers, or system owners
Role of the Scribe
Collects information and documents incidents
Intentional Evidence
Data created for auditability
Unintentional Evidence
Byproduct of other processes, e.g., Windows event logs
Importance of Compliance in IR
Avoid fines, penalties, lawsuits, and criminal penalties
Examples of Compliance Regulations
HIPAA, PCI DSS, FISMA
Incident Categorization Options
NIST 800-61r2, Verizon’s VERIS
What is the benefit of the NIST 800-61 system?
It ranks dimensions like functional impact, information impact, and recoverability.
What is a drawback of the VERIS system?
It can go into an almost absurd amount of detail.
How can you address the complexity of the VERIS system?
Use only a subset of the VERIS framework.
When can you create a custom incident recording system?
If you don’t need to share metrics outside your organization.
What is the benefit of linking VERIS to MITRE ATT&CK?
It ties incident metrics to specific threat actors or TTPs.
What new resource helps align VERIS with ATT&CK?
The ATT&CK-to-VERIS GitHub repo.
What are the two big categories in forensic analysis?
Investigation and Response.
What should you do during initial incident response?
Get baseline parameters and preserve volatile evidence.
What tools can help preserve evidence quickly?
EDR and SOAR tools.
What is the purpose of a playbook in incident response?
Guidance for responding to various scenarios.
What should be avoided when writing playbooks?
Over-engineering the incident response process.
What should a well-written playbook answer?
Who do I call first? and “What information do I need?”
How often should playbooks be reviewed?
Periodically, for relevance and timeliness.
What is the purpose of reference models in technical response playbooks?
To guide writing technical response playbooks.
What does an example playbook standardize?
Actions the team takes.
What should be done before escalation/closure as false positive?
Standardized actions.
Who handles manual investigative steps in a playbook?
Analysts.
Who handles automatable actions in a playbook?
SOAR platform.
What does a playbook ensure when a common event occurs?
Thorough investigation before closure.
What mix do playbooks often have?
Mandatory and optional steps.
What should be taken by analysts in a playbook?
Manual steps.
What can be performed with a SOAR platform in a playbook?
Simple data gathering and automated actions.
What are common errors when making playbooks?
Making too many or too strict playbooks.
What happens if playbooks are too strict?
Analysts work around the playbook.
What should high-level generic playbooks focus on?
What to do, not necessarily how.
What does a SOAR platform do in playbook-centric alert work?
Enriches data and makes decisions.
What does a SOAR system eliminate from analyst workflow?
Repetitive, non-value-added steps.
What is an example of a system similar to playbooks?
TheHive’s “Case templates”.