LDR 551- Book 4 Flashcards
What is the Internet Storm Center?
Internet’s early warning system
What are the four key elements of incident response preparation according to Brown and Roberts?
Telemetry, hardening, process, practice
Why is visibility foundational in incident response?
It’s essential for investigation and response activities.
What helps prioritize response efforts in incident response?
Analytics, key assets, users, and contextual information
Why is having solid process documentation important in incident response?
Prevents figuring out procedures on the go.
What is often the most overlooked part of incident response?
Practice
What must incident response tools, services, and skillsets meet?
Requirements of the environment and constituency
What informs incident response staffing strategy?
Incident response goals
What is essential for effective incident response teamwork?
Strong interpersonal relationships and good communications
What should your SOC consider for each device type and location?
Readiness for different incident scenarios
What is a main consideration for SOC planning?
Scenarios the SOC is willing and capable of responding to
What is a key aspect of prevention as preparation?
Preparing infrastructure to resist intrusion
What are CIS benchmarks?
Best practices for secure configurations
What are the two levels of CIS security settings?
Level 1 and Level 2
What does Level 1 security setting aim to achieve?
Basic security with little impact on functionality
What does Level 2 security setting aim to achieve?
Greater security but may reduce functionality
What are CIS hardened images?
Securely configured virtual machine images
What is NIST SP 800-123?
Guide to General Server Security
What is the purpose of the NIST National Checklist Program?
Provides a searchable index of hardening guides
What are DISA STIGs?
Step-by-step checklists for locking down systems
What is the Australian Signals Directorate known for?
Detailed system configuration guides
What are the CIS Controls?
Prioritized actions for defense against attacks
How are CIS Controls organized?
By activities, not by who manages devices
What should you understand about your environment for effective security?
Normal operations in networks, hosts, applications, users
What is a good exercise for incident response preparation?
Trace “control” events through existing telemetry
What are the three components of incident response governance?
Policy, Plan, Procedure
What are the three foundational documents for incident response?
Policy, plan, and procedure
What is the purpose of the incident response policy?
High-level direction setting document
What does the incident response plan define?
Mission, strategies, and goals of the team
What are the phases of incident response according to NIST SP 800-61r2?
Preparation, Detection and Analysis, Containment, Eradication and Recovery, Post-Incident Activity
What should the incident response procedure include?
Technical processes, checklists, forms, templates, roles, responsibilities
What are the common IR team structures?
Centralized, Distributed, Coordinating
What is a coordinating team?
Provides help to other teams with higher authority.
Which team format is ideal for large organizations with in-house capabilities and a full SOC?
Distributed Team
What is the advantage of distributed teams?
Fastest response times.
Which SOC model is suitable for smaller, geographically bounded organizations?
Single centralized SOC model
In what scenario is a coordinating SOC commonly found?
Government scenarios with multiple authority levels.
What factors should be considered when selecting an IR team type?
Expected workload, team size, budget, expertise, availability.
What is the simplest staffing model for incident response?
Full in-house set of employees.
When might a partially outsourced IR capability be chosen?
Small budget or rare large incidents.
What is a key benefit of partially outsourcing IR capabilities?
Reduces costs for rarely needed specialties.
Why might a small business fully outsource its IR capabilities?
Lack of staff or in-house experience.
What is a hybrid partial outsourcing model used for?
To help stand up a new IR team.
What is crucial for effective incident response in multi-team systems?
Technical and social processes.
What role does a SOC lead play in communication during an incident?
Ensures direction and shields team from distractions.
What did the 2016 study on incident response emphasize?
Integration of technical and social processes.
What are common social failings in incident response teams?
Poor communication and collaboration.
What can help minimize communication failures during an incident?
Communications charters, plans, protocols.
What is the difference between taskwork and teamwork?
Taskwork is goal-related; teamwork is for coherence.
What must leadership coordinate in multi-team systems?
Teamwork and taskwork activities.
What is required for effective incident response?
Multiple teams and individuals working together
What drives incident response outcomes?
Taskwork-driven results and outcomes
Why is teamwork necessary in incident response?
To accomplish taskwork sustainably and repeatably
What happens without effective teamwork in incident response?
Too much variance and reliance on key individuals
What should incident response plans and training focus on?
Ensuring teams can work together effectively
What is the superordinate goal in an MTS Goal Hierarchy?
Protect Value Generation
What are the three main goals in incident response?
Identify, contain, eradicate threats; recover systems and data
What makes incident response inherently chaotic?
Requires many teams to work together across boundaries
What is a challenge if SOC team isn’t wholly responsible for incident response?
Conceptualizing ownership of functions
What did Mark Orlando and Dr. Daniel Shore discuss in their Black Hat Europe 2022 talk?
Increasing efficiency in incident response
What is the purpose of an MTS Goal Hierarchy Diagram?
Map out functions contributing to incident response goals
What is a precursor to documenting roles and responsibilities in incident response?
Creating MTS Goal Hierarchy diagrams
What does an MTS Interaction Diagram help understand?
Relationships needing attention in procedures and plans
What can an MTS Interaction Diagram be used as?
Diagnostic for team interactions
Why is there a very high level of interaction between the Watch and Engineering Teams?
Engineering supports containment and recovery tasks
What should be done given the high interaction level between Watch and Engineering Teams?
Involve Engineering in preparation and training
What is the key distinction between incident response and incident management?
Incident response focuses on technical activities; incident management on business risk
When do incident response activities generally end?
When impacted systems and data are restored
What do technical tasks rarely address?
Mitigation or remediation of business risk
What does incident management (IM) address?
Business issues during an organizational crisis
Who supports the IM process?
Cross-functional group of stakeholders
When is an IM process typically initiated?
During incidents rising to an organizational crisis
What might a ransomware incident require?
Negotiation, law enforcement coordination, third-party experts
What should your incident response plan reference?
The IM process and key stakeholders
What are foundational elements of IR capability?
Incident response governance, staffing models, infrastructure hardening
What does incident response require as a multi-team effort?
Deliberate and effective teamwork
What may not be enough during an organizational crisis?
Existing IR plans, policies, and procedures
When is an incident identified?
When there is measurable/observable impact
What is a common characteristic of incident activities?
Evidence demonstrating negative or impending impact
What is important for incident detection?
High fidelity detections
What should be assigned once an incident is declared?
Incident handler/lead
What might the incident handler decide at the response stage?
Deeper forensic data collection
Role of the IR Lead
Facilitates communication, collaboration, and task management
Qualifications of an IR Lead
Experienced with IR best practices and decision-making
Primary Responsibilities of IR Lead
Serve as primary source of truth, establish communication channels
Who are Subject Matter Experts?
SOC analysts, engineers, or system owners
Role of the Scribe
Collects information and documents incidents
Intentional Evidence
Data created for auditability
Unintentional Evidence
Byproduct of other processes, e.g., Windows event logs
Importance of Compliance in IR
Avoid fines, penalties, lawsuits, and criminal penalties
Examples of Compliance Regulations
HIPAA, PCI DSS, FISMA
Incident Categorization Options
NIST 800-61r2, Verizon’s VERIS
What is the benefit of the NIST 800-61 system?
It ranks dimensions like functional impact, information impact, and recoverability.
What is a drawback of the VERIS system?
It can go into an almost absurd amount of detail.
How can you address the complexity of the VERIS system?
Use only a subset of the VERIS framework.
When can you create a custom incident recording system?
If you don’t need to share metrics outside your organization.
What is the benefit of linking VERIS to MITRE ATT&CK?
It ties incident metrics to specific threat actors or TTPs.
What new resource helps align VERIS with ATT&CK?
The ATT&CK-to-VERIS GitHub repo.
What are the two big categories in forensic analysis?
Investigation and Response.
What should you do during initial incident response?
Get baseline parameters and preserve volatile evidence.
What tools can help preserve evidence quickly?
EDR and SOAR tools.
What is the purpose of a playbook in incident response?
Guidance for responding to various scenarios.
What should be avoided when writing playbooks?
Over-engineering the incident response process.
What should a well-written playbook answer?
Who do I call first? and “What information do I need?”
How often should playbooks be reviewed?
Periodically, for relevance and timeliness.
What is the purpose of reference models in technical response playbooks?
To guide writing technical response playbooks.
What does an example playbook standardize?
Actions the team takes.
What should be done before escalation/closure as false positive?
Standardized actions.
Who handles manual investigative steps in a playbook?
Analysts.
Who handles automatable actions in a playbook?
SOAR platform.
What does a playbook ensure when a common event occurs?
Thorough investigation before closure.
What mix do playbooks often have?
Mandatory and optional steps.
What should be taken by analysts in a playbook?
Manual steps.
What can be performed with a SOAR platform in a playbook?
Simple data gathering and automated actions.
What are common errors when making playbooks?
Making too many or too strict playbooks.
What happens if playbooks are too strict?
Analysts work around the playbook.
What should high-level generic playbooks focus on?
What to do, not necessarily how.
What does a SOAR platform do in playbook-centric alert work?
Enriches data and makes decisions.
What does a SOAR system eliminate from analyst workflow?
Repetitive, non-value-added steps.
What is an example of a system similar to playbooks?
TheHive’s “Case templates”.
What does Adaptive Case Management enable?
Flexibility without sacrificing structure.
What does Adaptive Case Management involve?
Customizing the incident management system.
What should be captured during an incident?
Action items, timeline, leads, and outcomes.
What context should be tracked during an incident response?
Kill chain context for observed events.
What is a key metric for incident response?
Time to detection after initial compromise.
What is a common workflow for finding the initial point of compromise?
Move from known detection to infection point.
What is the most common workflow in incident detection?
Move from detection (D) to infection (C).
What should be scrutinized once point C is known?
Network and host data.
What should you look for in a multi-machine attack?
Evidence of lateral movement (B).
What should the SOC do after finding the real first point of access?
Time bound its search.
What becomes easier once pivoting tactics are exposed?
Finding each additional effect machine.
What is the SOC’s goal from point D to E?
Get there as quickly as possible.
What is another goal of the SOC in general?
Minimize time between A and D.
What defines an ideal SOC?
Go from A to D and D to E in zero time.
What should be avoided in IR communications?
Attribution and jargon.
What is crucial in good IR communications?
Be clear, timely, and responsible.
Why should the security team provide updates?
To avoid dangerous assumptions.
Who should the updates be easily understood by?
A non-technical audience.
What is important in incident management?
Subtle distinctions in scenarios.
What might the IR team look for if usernames and passwords are stolen?
Where the passwords may be stored.
What does attackers using tokens suggest?
User logged in somewhere infected.
What role might SOCs designate for non-technical updates?
Scribe or incident coordinator.
What should be avoided when communicating with executives?
Technical jargon and vendor name-dropping.
What is the job of a leader in IR communications?
Bring order to chaos.
Why is shared understanding vital in incident response?
To address the same problem set.
What should be ensured from a communications perspective in IR?
Response procedures are followed.
Delegate technical tasks and collect inputs from whom?
Subject matter experts and other stakeholders
What should communication channels be compared to?
Staging area outside a burning building
How should productivity in communication channels be guarded?
Ruthlessly, even shutting down discussions
What should documentation during an incident consider?
OPSEC & data privacy, archivable, accessible
Where should findings and actions be stored during a response?
In a place accessible to team members
What may be sufficient for storing case notes?
Ticketing system
What features should a repository have during an incident?
Quick setup, organized actions, accessible
What are examples of real-time collaboration platforms?
Slack, Signal, online documents
What should text in any solution be?
Archivable or available for reference
What should be documented to brief the larger team?
Impacted users and systems
What should be collected during an incident?
Private keys, certs, API keys
What should be identified related to malicious activity?
IP addresses and domains
What should be shared in the early hours of an incident?
Indicators of compromise, compromised hosts
What is crucial in the early stages of an incident?
Answering key questions, minimizing damage
What can playbooks do in an incident response?
Reduce panic, improve quality and consistency
What should be built into your incident management system?
Steps in your playbooks
What are the objectives of Exercise 4.2?
Brainstorm tasks, develop playbook, build into system
What does forensic analysis in IR often require?
Additional capture and analysis
What makes forensic analysis more complex?
Cloud, mobile, virtualization technologies
What are the key data types required to fully scope and respond to an intrusion?
Network communications, running processes, file listings, user actions.
What combination is usually incorporated at the network layer for incident response?
Full packet capture and summary data.
What tools can be used at the host layer for incident response?
Agent-based tools, WMI, PowerShell.
What are the focuses of incident response tools in modern environments?
Live data, non-persistent and real-time data.
What might the incident response function include?
Forensic capture and analysis, system restoration.
What are the types of forensic analysis mentioned?
Memory, disk, network, mobile, cloud storage, data analysis.
What does forensic analysis of volatile memory include?
Memory caches, active network connections, processes.
What does network forensic analysis focus on?
Network packets and traffic.
What does mobile forensic analysis involve?
Device internals, hardware, filesystems.
What does cloud storage forensic analysis examine?
File-based, object, and block filesystems.
What are the steps in the digital media analysis workflow?
Identify goals, copy artifacts, analyze, extract, report.
What is the first step in the digital media analysis workflow?
Identify investigative goals or questions.
What is the purpose of copying artifacts in digital media analysis?
To avoid changing original media.
What are some tools for disk and media capture and analysis?
Autopsy, SleuthKit.
What are some tools for drive reconstruction?
Forensic Toolkit (FTK), EnCase.
What are some tools for malware analysis?
Velociraptor, Sysmon, OSQuery.
What are some live distributions for incident response?
REMnux, SIFT, FLARE.
What are the types of enterprise security tools mentioned?
EDR, NDR, XDR
What should you consider when assembling your IR toolset?
Frequency, type, reporting requirements, team skillset
What factors impact forensic analysis decisions?
Remote vs local, cost, data format, CLI/GUI, full dump or key artifacts
Why is it risky to log into a compromised system?
Credentials may be stolen and used for lateral movement
What are interactive logins?
Logins where you interactively use the machine (e.g., RDP, PsExec)
What are noninteractive logins?
Logins like mapping a drive on a remote file share
What can attackers do if they obtain your credentials?
Pivot to other systems within the organization
What is the RDP Restricted Admin Model?
Connects via RDP without storing credentials in memory
What is Windows Defender Remote Credential Guard?
Prevents pass-the-hash attacks, uses Kerberos
What is a disadvantage of Windows Defender Remote Credential Guard?
Service tickets are vulnerable during their lifetime
What capabilities does PowerShell provide for incident response?
Data collection, analysis, mitigation actions
What data sources can PowerShell access for investigations?
WMI, COM, .NET, Windows API
What types of data can PowerShell collect?
Files, registry artifacts, logs, volatile processes, network info
What is PowerShell’s scripting language type?
Object-based
What service does PowerShell use for remote management?
Windows Remote Management (WinRM)
Why is PowerShell suitable for large scale remote operations?
Runs actions in parallel on targets
What is a key benefit of PowerShell remoting?
Agentless, uses built-in WinRM
What makes PowerShell a cost-effective option?
Low cost if skillsets are present
Since when has Windows Remote Management been available?
PowerShell 2.0 and Windows 7
What Windows versions have WinRM enabled by default?
Windows Server 2012 and 2016
What is PsExec part of?
Microsoft’s Sysinternals suite
What is a common use of PsExec in incident response?
Remote script execution
What should you be cautious of when using PsExec?
May leave credentials open to theft
What does WMI enable users to do?
Query WMI object instances
Why is WMI a robust data source?
Almost all Windows actions generate WMI events
What is a powerful feature of WMI for attackers and defenders?
WMI events for real-time notifications
What is EDR great for?
Forensic analysis and threat hunting
Who coined the term Endpoint Detection and Response (EDR)?
Anton Chuvakin
What is EDR compared to traditional host-based controls?
EDR expands upon traditional host-based controls by providing visibility.
What are some examples of commercial EDR platforms?
FireEye HS, CrowdStrike Falcon, Microsoft Defender.
What is Wazuh?
An open source EDR with various capabilities.
What is NDR?
A class of security technologies using non-signature-based techniques.
What do NDR platforms often leverage?
Automated statistical analysis techniques.
What does XDR stand for?
Extended Detection and Response.
How does XDR improve upon EDR?
Incorporates cloud and network data sources.
What is the advantage of consolidating data at the host layer in XDR?
More effective triage and faster response actions.
What are the two main methods of malware analysis?
Automated analysis and manual analysis.
Why might automated malware analysis fail?
Malware may detect the sandbox or be in an unsupported format.
When is manual malware analysis necessary?
For highly complex malware with anti-analysis features.
What is essential for extracting IOCs from malware?
Manual malware analysis capability
Name three online malware analysis services.
VirusTotal, Joe Sandbox, Hybrid Analysis
What should you remember when using online malware analysis services?
Remember your OPSEC
What are common offline/on-prem malware analysis tools?
Cuckoo sandbox, Sandboxie
Name two popular free utilities for static malware analysis.
YARA, FireEye’s FLOSS
Which SANS course teaches reverse-engineering malware?
SANS FOR610
What is a key consideration when choosing forensic tools for your team?
Service hours and SLAs for forensic analysis
What should be documented in your Incident Response Plan?
Triggers and inputs for forensic analysis
Name two immediate training courses for incident responders.
SANS SEC504, SEC503
What does SANS SEC504 focus on?
Incident handling and attacker perspective
What does SANS SEC503 focus on?
Deep dive into network traffic
Name a reference book for incident response tools and processes.
Applied Incident Response by Steve Anson
What is the first action during incident response?
Containment
What is of primary importance during containment?
Stop the bleeding
What is the goal of containment procedures?
Quick, tactical actions to stop attack progression
What should you consider when containing network traffic?
Cut off the system from the internet, internal network, or both.
What are some host-based containment methods?
Blocking and killing malicious processes, host-based firewalls
What should you do after identifying an active incident?
Take the first step to disrupt the activity: containment.
What should containment procedures involve?
Understanding the threat, planning action, informing stakeholders
What is a potential risk when blocking a primary domain or IP?
Malware may use backup command and control servers.
What is the goal of eradication procedures?
Fully removing the attacker from the environment
What are some eradication strategies?
Automated removal, surgical removal, wipe and rebuild
When might surgical removal be preferred over wipe and rebuild?
When zero downtime is the priority
What should be considered before immediate containment or eradication?
Context of the incident and potential OPSEC risks
How can you identify if you’re not dealing with a highly advanced attacker?
If malware is publicly known or referenced in blogs.
What should you do if dealing with a non-targeted malware infection?
Clean up any machine with the infection.
What approach is recommended for a potential targeted attack?
Watch and learn approach.
What is the strategy for dealing with a targeted attack?
Closely watch the infected asset and review its history.
What is a risk of acting too quickly against a targeted attack?
Adversary may have multiple entry points and be tipped off.
What might adversaries do once they know you’ve detected them?
Change tactics, spread, or go silent.
Do real-world adversaries change tactics upon detection?
Yes, even penetration testers and Red Teams do this.
What must be done with digital evidence?
Documented, secured, labeled, and preserved.
Why is adhering to high standards in evidence preservation beneficial?
Protects from loss in insurance claims, lawsuits, or regulatory violations.
What should you consider when gathering additional evidence from affected hosts?
Data acquisition strategy.
What helps maintain consistency and reduce panic during a response?
Cataloging actions in playbooks.
What should be enabled for cloud incident response preparation?
Non-default events logging.
What logs are needed for cloud-based incident response?
Sign-in activity, data access, network flow, application/OS logs.
What should be considered when changing default logging configurations?
Additional charges and processing/storage requirements.
What should be decided regarding cloud logging?
How to centralize logging.
What may result from changing default retention periods for cloud-native log storage?
Additional costs.
What do incident responders require for effective investigation?
Enhanced access to the environment.
Minimum access required for cloud incident response
Read access for logs, write access for snapshots
Why is understanding cloud computing concepts critical for responders?
To interpret cloud telemetry and infrastructure
What should you revisit for cloud forensics and incident response?
Team’s knowledge, skills, abilities, competencies
What is the Open Cybersecurity Schema Framework (OCSF)?
Common language for threat detection and investigation
How does OCSF simplify security logging?
By simplifying data ingestion and normalization
What makes OCSF suitable for multi-cloud environments?
Agnostic to storage format, ETL processes
How are OCSF schema files written?
As JSON, machine-readable and easy to interpret
What is the MITRE ATT&CK Cloud Matrix used for?
Expanding threat models for cloud infrastructure
What should guide SOCs preparation for cloud incident response?
Threat intelligence and applicability to environment
What is recommended to ensure cloud IR effectiveness?
Regular purple team and red team tests
Primary source of cloud telemetry
System logs via cloud utility or logging API
Indicators of malicious activity in cloud billing
Unusual or unexpected spikes in usage charges
What can help baseline cloud environment effectively?
Early challenging work with infrastructure support
Considerations for deeper forensic analysis in cloud
Forensic toolset, evidence handling, cloud-native tools
Concerns with exporting cloud data for analysis
Cost and chain of custody concerns
Alternative to exporting cloud data for analysis
Cloud-native forensics using pre-built forensic VMs
What is a potential benefit of increasing storage and processing power of machines during an incident?
Avoiding bulk data export during an incident
How can read-only access to data help during an investigation?
Maintains chain of custody
What types of cloud-native tools might be incorporated into a forensic toolkit?
Log analysis platforms, SIEMs, AWS Lambda, Google Cloud Functions, Azure Functions
Where can you learn more about spinning up a forensics lab using cloud technologies?
AWS CloudFormation, Azure Resource Manager, Google Cloud Deployment Manager
What are the three domains where containment can occur in the cloud?
Service domain, Infrastructure domain, Application domain
Why is containment more challenging in the cloud compared to on-prem?
Control over only a portion of the impacted system
What should you understand based on your organization’s cloud deployment model?
Containment options available
How can you conceptualize your cloud environment?
As service domain, infrastructure domain, and application domain
What is a key advantage of using cloud infrastructure?
Portability and ephemerality
What should you do to classify security incidents in the cloud?
Work with infrastructure teams and site reliability engineers
What should you know about your cloud service provider for effective incident response?
Telemetry enabled by default versus what is available
What is a good first place to check for information on cloud services?
Accounting for billing details
What should SOC incident leads be trained on?
Investigating and responding to incidents in the cloud
What varies between different cloud service providers (CSPs)?
Approaches and capabilities
What are the two main tactics to overcome short-term memory limitations in investigations?
Decomposition and externalization
What is decomposition in the context of investigations?
Breaking down a complex problem into fundamental parts
What is externalization in the context of investigations?
Getting data out of your head into a visible form
Who recommends decomposition and externalization for analysis?
Richards J. Heuer, Jr.
What is the first question in The Alexiou Principle?
What question are you trying to answer?
What is the second question in The Alexiou Principle?
What data do you need to answer that question?
What is the third question in The Alexiou Principle?
How do you extract that data?
What is the fourth question in The Alexiou Principle?
What does that data tell you?
What should analysts avoid doing immediately during an investigation?
Chasing the first intuitive idea
What is the goal of breaking down the investigation task into atomic questions?
To lead to the conclusion of the larger question
