Lesson 17

Question 1

Incident Response Process (PICERL)

Answer 1

Picerel
Peperation
Identification
Containment
Eradication
Recovery
Lessons Learned)

Preperation -> Identification -> Containment ->Eradication-> Recovery -> Post Incident Activity

1. Preparation—make the system resilient to attack in the first place. This includes
   hardening systems, writing policies and procedures, and setting up confidential
   lines of communication. It also implies creating incident response resources and
   procedures.
2. Identification—from the information in an alert or report, determine whether
   an incident has taken place, assess how severe it might be (triage), and
   notify stakeholders.
3. Containment—limit the scope and magnitude of the incident. The principal aim
   of incident response is to secure data while limiting the immediate impact on
   ctomers and business partners.
4. Eradication—once the incident is contained, remove the cause and restore the
   affected system to a secure state by applying secure configuration settings and
   installing patches.
5. Recovery—with the cause of the incident eradicated, the system can be
   reintegrated into the business process that it supports. This recovery phase may
   involve restoration of data from backup and security testing. Systems must be
   monitored more closely for a period to detect and prevent any reoccurrence
   of the attack. The response process may have to iterate through multiple
   phases of identification, containment, eradication, and recovery to effect a
   complete resolution.
6. Lessons learned—analyze the incident and responses to identify whether
   procedures or systems could be improved. It is imperative to document the
   incident. The outputs from this phase feed back into a new preparation phase in
   the cycle.

Question 2

Cyber Incident Response Team

Answer 2

• Reporting, categorizing, and prioritizing (triage)
• CIRT/CERT/CSIRT/SOC
• Management/decision-making authority (led by at least director level. person that can make decisions)
• Incident analysts
• 24/7 availability (costly)
• Roles beyond technical response
  
  • Legal
  • Human Resources (HR)
  • Marketing

Question 3

Other names for CIRT

Answer 3

cyber incident response team (CIRT),
computer security incident response team (CSIRT)
computer emergency response team (CERT).

Question 4

SOC

Answer 4

Incident
response might also involve or be wholly located within a security operations center
(SOC)

Question 5

Other roles needed on for Incident Response (CIRT)

Answer 5

Roles beyond technical response
•Legal
•Human Resources (HR)
•Marketing

•Legal—it is important to have access to legal expertise, so that the team can
evaluate incident response from the perspective of compliance with laws and
industry regulations. It may also be necessary to liaise closely with law enforcement
professionals, and this can be daunting without expert legal advice.

• Human Resources (HR)—incident prevention and remediation actions may affect
employee contracts, employment law, and so on. Incident response requires the
right to intercept and monitor employee communications.
• Marketing—the team is likely to require marketing or public relations input, so that
any negative publicity from a serious incident can be managed.

Question 6

Communication Plan and Stakeholder Management

Answer 6

• Prevent inadvertent disclosure
• Call list identifying trusted parties
• Communication plan
  
  • Share data on a need to know basis
  • Out-of-band communications—avoid alerting intruder
• Stakeholder management
  
  • Communication with internal and external stakeholders
  • Notification and reporting

Question 7

•Prevent inadvertent disclosure and call list (incident response)

Answer 7

You must prevent the inadvertent release of information beyond the team authorized
to handle the incident. Status and event details should be circulated on a need-to-know
basis and only to trusted parties identified on a call list.

Question 8

Communication plan

Answer 8

• Communication plan
  
  • Share data on a need to know basis
  • Out-of-band communications—avoid alerting intruder

Secure communication between the trusted parties of the CIRT is essential for
managing incidents successfully. It is imperative that adversaries not be alerted to
detection and remediation measures about to be taken against them. It may not be
appropriate for all members of the CSIRT to be informed about all incident details.

The team requires an “out-of-band” or “off-band” communication method that cannot
be intercepted. Using corporate email or VoIP runs the risk that the adversary will
be able to intercept communications. One obvious method is cell phones but these
only support voice and text messaging. For file and data exchange, there should
be a messaging system with end-to-end encryption, such as Off-the-Record (OTR),
Signal, or WhatsApp, or an external email system with message encryption (S/MIME
or PGP). These need to use digital signatures and encryption keys from a system
that is completely separate from the identity management processes of the network
being defended.

Question 9

Stakeholder Management

Answer 9

• Stakeholder management
  
  • Communication with internal and external stakeholders
  • Notification and reporting

Trusted parties might include both internal and external stakeholders. It is not helpful
for an incident to be publicized in the press or through social media outside of planned
communications. Ensure that parties with privileged information do not release this
information to untrusted parties, whether intentionally or inadvertently.

You need to consider obligations to report the attack. It may be necessary to inform
affected parties during or immediately after the incident so that they can perform their
own remediation. It may be necessary to report to regulators or law enforcement. You
also need to consider the marketing and PR impact of an incident. This can be highly
damaging and you will need to demonstrate to customers that security systems have
been improved.

Question 10

Incident Response Plan

Answer 10

• Lists the procedures, contacts, and resources available to responders for various incident categories
• Playbooks and runbooks
• Incident categorization
• Prioritization factors
  
  • Data integrity
  • Downtime
  • Economic/publicity
  • Scope
  • Detection time
  • Recovery time

Question 11

incident response plan (IRP)

Answer 11

An incident response plan (IRP) lists the procedures, contacts, and resources
available to responders for various incident categories.

Question 12

Playbooks and runbooks

Answer 12

playbook (or runbook) is a data-driven standard operating procedure (SOP) to assist
junior analysts in detecting and responding to specific cyberthreat scenarios, such as
phishing attempts, SQL injection data exfiltration, connection to a blacklisted IP range,
and so on. The playbook starts with a SIEM report and query designed to detect the
incident and identify the key detection, containment, and eradication steps to take.

Question 13

Incident categorization

Answer 13

Incident categories and definitions ensure that all response team members and other
organizational personnel all have a common base of understanding of the meaning
of terms, concepts, and descriptions. The categories, types, and definitions might vary
according to industry

Question 14

Prioritization factors

Answer 14

• Prioritization factors
  
  • Data integrity
  • Downtime
  • Economic/publicity
  • Scope
  • Detection time
  • Recovery time

Question 15

Data Integrity (prioritization factors)

Answer 15

Data integrity—the most important factor in prioritizing incidents will often be the
value of data that is at risk.

Question 16

Downtime (prioritization Factor)

Answer 16

Downtime—another very important factor is the degree to which an incident
disrupts business processes. An incident can either degrade (reduce performance)
or interrupt (completely stop) the availability of an asset, system, or business
process. If you have completed an asset inventory and a thorough risk assessment
of business processes (showing how assets and computer systems assist each
process), then you can easily identify critical processes and quantify the impact of
an incident in terms of the cost of downtime.

Question 17

Economic/publicity (prioritization Factor)

Answer 17

Economic/publicity—both data integrity and downtime will have important
economic effects, both in the short term and the long term. Short-term costs involve
incident response itself and lost business opportunities. Long-term economic costs
may involve damage to reputation and market standing.

Question 18

Scope(prioritization Factor)

Answer 18

• Scope—the scope of an incident (broadly the number of systems affected) is not a
direct indicator of priority. A large number of systems might be infected with a type
of malware that degrades performance, but is not a data breach risk. This might
even be a masking attack as the adversary seeks to compromise data on a single
database server storing top secret information.

Question 19

• Detection time(prioritization Factor)

Answer 19

• Detection time—research has shown that the existence of more than half of data
breaches are not detected for weeks or months after the intrusion occurs, while in
a successful intrusion data is typically breached within minutes. This demonstrates
that the systems used to search for intrusions must be thorough and the response
to detection must be fast.

Question 20

• Recovery time(prioritization Factor)

Answer 20

• Recovery time—some incidents require lengthy remediation as the system changes
required are complex to implement. This extended recovery period should trigger
heightened alertness for continued or new attacks.

Question 21

Cyber Kill Chain Attack Framework

Answer 21

Effective incident response depends on threat intelligence. Threat research provides
insight into adversary tactics, techniques, and procedures (TTPs). Insights from threat
research can be used to develop specific tools and playbooks to deal with event
scenarios. A key tool for threat research is a framework to use to describe the stages
of an attack. These stages are often referred to as a cyber kill chain

1, Reconnaissance

2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command and Control (C2)
7. Actions on Objectives

Question 22

1. Reconnaissance

Answer 22

1. Reconnaissance—in this stage the attacker determines what methods to use to
   complete the phases of the attack and gathers information about the target’s
   personnel, computer systems, and supply chain.

Question 23

2. Weaponization

Answer 23

2. Weaponization—the attacker couples payload code that will enable access with
   exploit code that will use a vulnerability to execute on the target system.

Question 24

3. Delivery

Answer 24

3. Delivery—the attacker identifies a vector by which to transmit the weaponized
   code to the target environment, such as via an email attachment or on a
   USB drive.

Question 25

4. Exploitation

Answer 25

4. Exploitation—the weaponized code is executed on the target system by this
   mechanism. For example, a phishing email may trick the user into running the
   code, while a drive-by-download would execute on a vulnerable system without
   user intervention.

Question 26

5. Installation

Answer 26

5. Installation—this mechanism enables the weaponized code to run a remote
   access tool and achieve persistence on the target system.

Question 27

6. Command and control (C2 or C&C)

Answer 27

6. Command and control (C2 or C&C)—the weaponized code establishes an
   outbound channel to a remote server that can then be used to control the remote
   access tool and possibly download additional tools to progress the attack.

Question 28

7. Actions on objectives

Answer 28

7. Actions on objectives—in this phase, the attacker typically uses the access he
   has achieved to covertly collect information from target systems and transfer
   it to a remote system (data exfiltration). An attacker may have other goals or
   motives, however.

Question 29

MITRE ATT&CK

Answer 29

Another atack framework

MITRE ATT&CK
•Database of TTPs
•Tactic categories
•No explicit sequencing

Question 30

The Diamond Model of Intrusion Analysis

Answer 30

Another Attack framework

•Framework for describing adversary capability and infrastructure plus effect on victim

Question 31

Incident Response Exercises

Answer 31

Tabletop
•Facilitator presents a scenario
•Does not involve live systems
- Least costly

Walkthroughs
•Responders demonstrate response actions (Unlike a tabletop exercise, the responders perform actions such asrunning scans and analyzing sample files, typically on sandboxed versions of thecompany’s actual response and recovery tools.)

Simulations
•Red team performs a simulated intrusion
- Simulations—a simulation is a team-based exercise, where the red team attempts
an intrusion, the blue team operates response and recovery controls, and a
white team moderates and evaluates the exercise. This type of training requires
considerable investment and planning.

Question 32

Tabletop

Answer 32

Tabletop
•Facilitator presents a scenario
•Does not involve live systems
- Least costly

Question 33

Walkthroughs

Answer 33

Walkthroughs
•Responders demonstrate response actions (Unlike a tabletop exercise, the responders perform actions such asrunning scans and analyzing sample files, typically on sandboxed versions of thecompany’s actual response and recovery tools.)

Question 34

Simulations

Answer 34

Simulations
•Red team performs a simulated intrusion
- Simulations—a simulation is a team-based exercise, where the red team attempts
an intrusion, the blue team operates response and recovery controls, and a
white team moderates and evaluates the exercise. This type of training requires
considerable investment and planning

Question 35

Incident response versus disaster recovery and business continuity

Answer 35

Incident response versus disaster recovery and business continuity
•Disaster recovery plan
•Response and recovery planning for major incidents
•Business continuity plan
•Making business procedures resilient
•Continuity of operation planning (COOP)

Question 36

•Disaster recovery plan

Answer 36

• Disaster recovery plan
  
  • Response and recovery planning for major incidents

Disaster recovery plan—a disaster can be seen as a special class of incident where
the organization's primary business function is disrupted. Disaster recovery requires
considerable resources, such as shifting processing to a secondary site. Disaster
recovery will involve a wider range of stakeholders than less serious incidents.

Question 37

•Business continuity plan

Answer 37

• Business continuity plan
  
  • Making business procedures resilient

Business continuity plan (BCP)—this identifies how business processes should
deal with both minor and disaster-level disruption. During an incident, a system
may need to be isolated. Continuity planning ensures that there is processing
redundancy supporting the workflow, so that when a server is taken offline for
security remediation, processing can failover to a separate system. If systems do not
have this sort of planned resilience, incident response will be much more disruptive.

Question 38

Continuity of Operation Planning (COOP)

Answer 38

• Continuity of Operation Planning (COOP)—this terminology is used for
government facilities, but is functionally similar to business continuity planning. In
some definitions, COOP refers specifically to backup methods of performing mission
functions without IT support.

Question 39

Incident response, forensics, and retention policy

Answer 39

Incident response, forensics, and retention policy
•Digital forensics requirements
•Retention policies for evidence preservation

The incident response process emphasizes containment, eradication, and recovery.
These aims are not entirely compatible with forensics. Digital forensics describes
techniques to collect and preserve evidence that demonstrate that there has been no
tampering or manipulation. Forensics procedures are detailed and time-consuming,
where the aims of incident response are usually urgent. If an investigation must use
forensic collection methods so that evidence is retained, this must be specified early in
the response process.

Retention policy is also important for retrospective incident handling, or threat
hunting. A retention policy for historic logs and data captures sets the period over
which these are retained. You might discover indicators of a breach months or years
after the event. Without a retention policy to keep logs and other digital evidence, it will
not be possible to make any further investigation.

Question 40

Incident identification

Answer 40

Identification is the process of collating events and determining whether any of them
should be managed as incidents or as possible precursors to an incident; that is, an
event that makes an incident more likely to happen

Question 41

Precursor

Answer 41

an event that makes an incident more likely to happen

Question 42

•Security mechanisms (IDS, log analysis, alerts) [precursor detection channel]

Answer 42

Using log files, error messages, IDS alerts, firewall alerts, and other resources
to establish baselines and identifying those parameters that indicate a possible
security incident.

Question 43

•Manual inspections [precursor detection channel]

Answer 43

• Manual or physical inspections of site, premises, networks, and hosts.

Question 44

•Notification procedures [precursor detection channel]

Answer 44

• Notification by an employee, customer, or supplier.

Question 45

•Public reporting [precursor detection channel]

Answer 45

Public reporting of new vulnerabilities or threats by a system vendor, regulator, the
media, or other outside party.

Question 46

•Confidential reporting/whistleblowing [precursor detection channel]

Answer 46

It is wise to provide for confidential reporting so that employees are not afraid to
report insider threats, such as fraud or misconduct. It may also be necessary to use an
“out-of-band” method of communication so as not to alert the intruder that his or her
attack has been detected.

Question 47

First responder

Answer 47

Member of CIRT taking charge of a reported incident

Question 48

Analysis and incident identification

Answer 48

Analysis and incident identification
•Classify and prioritize
•Downgrade low priority alerts to log-only

Question 49

Analysis and incident identification

Answer 49

Analysis and incident identification
•Classify and prioritize
•Downgrade low priority alerts to log-only

When notification has taken place, the CIRT or other responsible person(s) must
analyze the event to determine whether a genuine incident has been identified and
what level of priority it should be assigned. Analysis will depend on identifying the type
of incident and the data or resources affected (its scope and impact). At this point,
the incident management database should have a record of the event indicators, the
nature of the incident, its impact, and the incident investigator responsible. The next
phase of incident management is to determine an appropriate response.

Question 50

SIEM and incident analysis

Answer 50

Coupled with an attack framework, notification will provide a general sense of where
to look for or expect indicators of malicious activity. Incident analysis is greatly
facilitated by a security information and event management (SIEM) system. A SIEM
parses network traffic and log data from multiple sensors, appliances, and hosts and
normalizes the information to standard field types.

Question 51

Correlation (SIEM)

Answer 51

Correlation
•Static rules and logical expressions
•Threat intelligence feeds
•AI-assisted analysis

The SIEM can then run correlation rules on indicators extracted from the data sources
to detect events that should be investigated as potential incidents. You can also filter or
query the data based on the type of incident that has been reported.
Correlation means interpreting the relationship between individual data points to
diagnose incidents of significance to the security team.

Question 52

SIEM - •Static rules and logical expressions

Answer 52

A SIEM correlation rule is a
statement that matches certain conditions. These rules use logical expressions, such as
AND and OR, and operators, such as == (matches), < (less than), > (greater than), and
in (contains). For example, a single-user logon failure is not a condition that should
raise an alert. Multiple user logon failures for the same account, taking place within
the space of one hour, is more likely to require investigation and is a candidate for
detection by a correlation rule.
Error.LogonFailure > 3 AND LogonFailure.User AND
Duration < 1 hour

Question 53

• Threat intelligence feeds

* AI-assisted analysis

Answer 53

As well as correlation between indicators observed on the network, a SIEM is likely to
be configured with a threat intelligence feed. This means that data points observed on
the network can be associated with known threat actor indicators, such as IP addresses
and domain names. AI-assisted analysis enables more sophisticated alerting and
detection of anomalous behavior.

Question 54

Retention (SIEM)

Answer 54

Retention
•Preserve evidence of attack
•Facilitate threat hunting and retrospective incident identification

A SIEM can enact a retention policy so that historical log and network traffic data is kept
for a defined period. This allows for retrospective incident and threat hunting, and can
be a valuable source of forensic evidence.

Question 55

SIEM Dashboards

Answer 55

Analyst dashboard
•Console of alerts that require prioritization and investigation

Manager dashboard
•Overall status indicators

Sensitivity and alerts
•Log only/alert/alarm

Sensors
•Source for network traffic data
•Aggregate data under one dashboard
•Per-sensor dashboards

Question 56

Analyst dashboard

Answer 56

Analyst dashboard

•Console of alerts that require prioritization and investigation

Question 57

Manager dashboard

Answer 57

•Overall status indicators

Question 58

Sensitivity and alerts

Answer 58

Sensitivity and alerts
•Log only/alert/alarm

One of the greatest challenges in operating a SIEM is tuning the system sensitivity
to reduce false positive indicators being reported as an event. This is difficult firstly
because there isn’t a simple dial to turn for overall sensitivity, and secondly because
reducing the number of rules that produce events increases the risk of false negatives.
A false negative is where indicators that should be correlated as an event and raise an
alert are ignored.
The correlation rules are likely to assign a criticality level to each match. For example:
• Log only—an event is produced and added to the SIEM’s database, but it is
automatically classified.
• Alert—the event is listed on a dashboard or incident handling system for an agent to
assess. The agent classifies the event and either dismisses it to the log or escalates it
as an incident.
• Alarm—the event is automatically classified as critical and a priority alarm is raised.
This might mean emailing an incident handler or sending a text message.

Question 59

Sensors

Answer 59

Sensors
•Source for network traffic data
•Aggregate data under one dashboard
•Per-sensor dashboards

A sensor is a network tap or port mirror that performs packet capture and intrusion
detection. One of the key uses of a SIEM is to aggregate data from multiple sensors and
log sources, but it might also be appropriate to configure dashboards that show output
from a single sensor or source host.

Question 60

Trend analysis

Answer 60

Trend analysis is the process of detecting patterns or indicators within a data set
over a time series and using those patterns to make predictions about future events.
A trend is difficult to spot by examining each event in a log file.

Instead, you need
software to visualize the incidence of types of event and show how the number or
frequency of those events changes over time.

Question 61

Frequency-based trend analysis

Answer 61

Frequency-based trend analysis establishes a baseline for a metric, such as number
of NXERROR DNS log events per hour of the day. If the frequency exceeds (or in
some cases undershoots) the threshold for the baseline, then an alert is raised.

Question 62

Volume-based trend analysis

Answer 62

Volume-based trend analysis can be performed with simpler indicators. For example, one simple metric for determining threat level is log volume. If logs
are growing much faster than they were previously, there is a good chance that
something needs investigating. Volume-based analysis also applies to network
traffic. You might also measure endpoint disk usage. Client workstations don’t
usually need to store data locally, so if a host’s disk capacity has suddenly
diminished, it could be a sign that it is being used to stage data for exfiltration.

Question 63

Statistical deviation analysis

Answer 63

Statistical deviation analysis can show when a data point should be treated as
suspicious. For example, a cluster graph might show activity by standard users and
privileged users, invoking analysis of behavioral metrics of what processes each type
runs, which systems they access, and so on. A data point that appears outside the
two clusters for standard and administrative users might indicate some suspicious
activity by that account.

Question 64

Logging Platforms

Answer 64

Just remember these are Logging platforms

Syslog
•Logging format, protocol, and server (daemon) software
•PRI –facility and severity
•Timestamp
•Host
•Message part

Rsyslog and syslog-ng

journalctl
•Binary logging

Nxlog
•Log normalization tool

Question 65

System and security logs

Answer 65

System and security logs
•Application
•Security/audit
•System
•Setup
•Forwarded events

One source of security information is the event log from each network server or client.

When events are generated, they are placed into log categories. These categories
describe the general nature of the events or what areas of the OS they affect. The five
main categories of Windows event logs are:
• Application—events generated by applications and services, such as when a service
cannot start.
• Security—audit events, such as a failed logon or access to a file being denied.
• System—events generated by the operating system and its services, such as storage
volume health checks.
• Setup—events generated during the installation of Windows.
• Forwarded Events—events that are sent to the local log from other hosts.

Question 66

Network Logs

Answer 66

Network logs
•Traffic and access data from network appliances

Network logs are generated by appliances such as routers, firewalls, switches, and
access points. Log files will record the operation and status of the appliance itself—the
system log for the appliance—plus traffic and access logs recording network behavior,
such as a host trying to use a port that is blocked by the firewall, or an endpoint trying
to use multiple MAC addresses when connected to a switch.

Question 67

Authentication Logs

Answer 67

Authentication logs
•Security log or RADIUS/TACACS+ application logs

Authentication attempts for each host are likely to be written to the security log. You
might also need to inspect logs from the servers authorizing logons, such as RADIUS
and TACACS+ servers or Windows Active Directory (AD) servers.

Question 68

Vulnerability scan output

Answer 68

A vulnerability scan report is another important source when determining how an
attack might have been made. The scan engine might log or alert when a scan report
contains vulnerabilities. The report can be analyzed to identify vulnerabilities that have
not been patched or configuration weaknesses that have not been remediated. These
can be correlated to recently developed exploits.

Question 69

Application Log Files

Answer 69

An application log file is simply one that is managed by the application rather than
the OS.

DNS event logs
•Types of queries made by clients
•Hosts using suspicious IP address ranges or domains
•Statistical anomalies

Web/HTTP access logs
•HTTP status codes
•HTTP headers

VoIP and call managers and Session Initiation Protocol (SIP) traffic
•Log endpoint connections
•Type of connection
•Via headers

Dump files
•Data from system memory

Question 70

DNS Event Logs

Answer 70

DNS event logs
•Types of queries made by clients
•Hosts using suspicious IP address ranges or domains
•Statistical anomalies

A DNS server may log an event each time it handles a request to convert between a
domain name and an IP address. DNS event logs can hold a variety of information that
may supply useful security intelligence, such as:
• The types of queries a host has made to DNS.
• Hosts that are in communication with suspicious IP address ranges or domains.
• Statistical anomalies such as spikes or consistently large numbers of DNS
lookup failures, which may point to computers that are infected with malware,
misconfigured, or running obsolete or faulty applications.

Question 71

Web/HTTP Access Logs

Answer 71

Web/HTTP access logs
•HTTP status codes
•HTTP headers

Web servers are typically configured to log HTTP traffic that encounters an error or
traffic that matches some predefined rule set…..

Question 72

VoIP and call managers and Session Initiation Protocol (SIP) traffic

Answer 72

VoIP and call managers and Session Initiation Protocol (SIP) traffic
•Log endpoint connections
•Type of connection
•Via headers

The call manager’s access log can be
audited for suspicious connections.

Question 73

Dump Files

Answer 73

Dump files
•Data from system memory

System memory contains volatile data. A system memory dump creates an image
file that can be analyzed to identify the processes that are running, the contents of
temporary file systems, registry data, network connections, cryptographic keys, and
more. It can also be a means of accessing data that is encrypted when stored on a
mass storage device.

Question 74

Metadata

Answer 74

Metadata is the properties of data as it is created by an application, stored on media,
or transmitted over a network. A number of metadata sources are likely to be useful
when investigating incidents, because they can establish timeline questions, such as
when and where, as well as containing other types of evidence.

File
•Date/time and security attributes
•Extended attributes and properties

Web
•Request and response headers

Email
•Internet header listing message transfer agents
•Spam/security analysis

Mobile
•Call detail records (CDRs)

Question 75

File (metadata)

Answer 75

File
•Date/time and security attributes
•Extended attributes and properties

File metadata is stored as attributes. The file system tracks when a file was created,
accessed, and modified. A file might be assigned a security attribute, such as marking
it as read-only or as a hidden or system file. The ACL attached to a file showing its
permissions represents another type of attribute. Finally, the file may have extended
attributes recording an author, copyright information, or tags for indexing/searching.

Question 76

Web (metadata)

Answer 76

Web
•Request and response headers

When a client requests a resource from a web server, the server returns the resource
plus headers setting or describing its properties. Also, the client can include headers
in its request. One key use of headers is to transmit authorization information, in
the form of cookies. Headers describing the type of data returned (text or binary, for
instance) can also be of interest. The contents of headers can be inspected using the
standard tools built into web browsers. Header information may also be logged by a
web server.

Question 77

Email (metadata)

Answer 77

Email
•Internet header listing message transfer agents
•Spam/security analysis

An email’s Internet header contains address information for the recipient and sender,
plus details of the servers handling transmission of the message between them. When

Question 78

Mobile (metadata)

Answer 78

Mobile
•Call detail records (CDRs)

Mobile phone metadata comprises call detail records (CDRs) of incoming, outgoing,
and attempted calls and SMS text time, duration, and the opposite party’s number.
Metadata will also record data transfer volumes.

Question 79

Network Data Sources

Answer 79

I didn’t really get this one, so i skipped it.

Network data is typically analyzed in detail at the level of individual frames or using
summary statistics of traffic flows and protocol usage.

Protocol analyzer output
•Pivot from alert event to per-packet or frame analysis
•Extract binary data

Netflow/IPFIX
•Records traffic statistics
•Flows defined by endpoints and ports (keys)
•Netflowexporters and collectors

sFlow
•Uses sampling to estimate statistics

•Bandwidth monitor

Question 80

Incident Containment Phase

Answer 80

Response must satisfy different or competing objectives
•What is the loss or potential for loss?
•What countermeasures are available?
•What evidence can be collected?

When an incident has been identified, classified, and prioritized, the next phase of
incident response is containment. Containment techniques can be classed as either
isolation-based or segmentation-based.

Question 81

Conatiment classifications

Answer 81

isolation based or

segmentation basedbased

Question 82

Isolation-Based Containment

Answer 82

Isolation-based containment
•Remove the affected system
•Disconnect hosts from power
•Prevent hosts communicating on network
•Disable user accounts or applications

Question 83

Segmentation-based containment

Answer 83

Segmentation-based containment
•Use sinkhole or sandbox to analyze attack

….As opposed to completely isolating the
hosts, you might configure the protected segment as a sinkhole or honeynet and allow
the attacker to continue to receive filtered (and possibly modified) output over the
C&C channel to deceive him or her into thinking the attack is progressing successfully.
Analysis of the malware code by reverse engineering it could provide powerful
deception capabilities. You

Question 84

Incident Eradication and Recovery

Answer 84

• Eradication of attack tools and access methods
• Recovery of systems to restore the operation of business workflows

Includes the following steps:
1Reconstitution of affected systems
2Re-audit security controls –what could have prevented the intrusion?
3 Notify affected third parties

Question 85

Firewall Configuration Changes

Answer 85

• Analyzeattack to determine vector
• Reduce attack surface through configuration changes
  
  • New security control
  • Update existing control configuration

Question 86

Ingress filtering rules vs egress filtering (firewall)

Answer 86

Historically, many organizations focused on ingress filtering rules, designed to
prevent local network penetration from the Internet. In the current threat landscape,
it is imperative to also apply strict egress filtering rules to prevent malware that has
infected internal hosts by other means from communicating out to C&C servers. Egress
filtering can be problematic in terms of interrupting authorized network activity, but it
is an essential component of modern network defense

Question 87

Content Filter Configuration Changes

Answer 87

Secure web gateway for egress filtering
•Update URL/content filtering using threat data

Data loss prevention (DLP)
•Identify whether DLP mechanisms were circumvented

Mobile device management (MDM)
•Identify whether MDM mechanisms were circumvented

Update or revoke certificates
•
Remove compromised root certificates from trust stores
•Revoke certificates on compromised hosts
•Re-key certificate

Question 88

secure web gateways (SWGs). (content filter configuration changes)

Answer 88

Secure web gateway for egress filtering
•Update URL/content filtering using threat data

A SWG mediates
user access to Internet services, with the ability to block content from regularly
updated URL/domain/IP blacklists and perform intrusion detection/prevention on
traffic based on matching content in application layer protocol headers and payloads.

Question 89

Data loss prevention (DLP) (content filter configuration changes)

Answer 89

Data loss prevention (DLP)
•Identify whether DLP mechanisms were circumvented

Data loss prevention (DLP) performs a similar function, but instead of user access it
mediates the copying of tagged data to restrict it to authorized media and services. An
attack may reveal the necessity of investing in DLP as a security control if one is not
already implemented. If DLP is enabled and configured in the correct way to enforce
policy, the attacker may have been able to circumvent it using a backdoor method
that the DLP software cannot scan. Alternatively, the attacker may have been able to
disguise the data so that it was not recognized.

Question 90

Mobile Device Management (MDM) (content filter configuration changes)

Answer 90

Mobile device management (MDM)
•Identify whether MDM mechanisms were circumvented

Mobile Device Management (MDM) provides execution control over apps and features
of smartphones. Features include GPS, camera, and microphone. As with DLP, an
intrusion might reveal a vector that allowed the threat actor to circumvent enrollment
or a misconfiguration in the MDM’s policy templates.

Question 91

Update or revoke certificates (content filter configuration changes)

Answer 91

Update or revoke certificates
•Remove compromised root certificates from trust stores
•Revoke certificates on compromised hosts
•Re-key certificate

Question 92

Endpoint Configuration Changes

Answer 92

Re-assess attack surface and attack vectors
•Social engineering
•Vulnerabilities
•Lack of security controls
•Configuration drift
•Weak configuration

Application allow lists/block lists
•Change to least privilege
•Identify failure of controls to prevent execution

Quarantine
•Isolate suspect systems for analysis in sandbox

Question 93

Security Orchestration, Automation, and Response (SOAR)

Answer 93

• Automation versus orchestration
• Security orchestration, automation, and response(SOAR)
  
  • Incident response
  • Threat hunting
• Integrates SDN/SDV APIs, orchestration tools, and cyber-threat intelligence (CTI) feeds
• AI-assisted user and entity behavioranalytics (UEBA)
• Runbooks versus playbooks

Question 94

•Automation versus orchestration

Answer 94

Automation is the action of scripting a single activity, while orchestration is the action of
coordinating multiple automations (and possibly manual activity) to perform a complex,
multistep task.

Question 95

Security orchestration, automation, and response(SOAR)

Answer 95

Security orchestration, automation, and response(SOAR)
•Incident response
•Threat hunting

SOAR is designed as a solution to the problem
of the volume of alerts overwhelming analysts’ ability to respond, measured as the
mean time to respond (MTTR). A SOAR may be implemented as a standalone technology
or integrated with a SIEM—often referred to as a next-gen SIEM. The basis of SOAR
is to scan the organization’s store of security and threat intelligence, analyze it using
machine/deep learning techniques, and then use that data to automate and provide data
enrichment for the workflows that drive incident response and threat hunting.

Question 96

Integrates SDN/SDV APIs, orchestration tools, and cyber-threat intelligence (CTI) feeds

Answer 96

SOAR can also
assist with provisioning tasks, such as creating and deleting user accounts, making shares
available, or launching VMs from templates, to try to eliminate configuration errors. The
SOAR will use technologies such as cloud and SDN/SDV APIs, orchestration tools, and
cyberthreat intelligence (CTI) feeds to integrate the different systems that it is managing.

Question 97

•AI-assisted user and entity behavioranalytics (UEBA)[SOAR]

Answer 97

SOAR will also leverage technologies such as automated malware signature creation and user
and entity behavior analytics (UEBA) to detect threats.

Question 98

Runbooks versus playbooks

Answer 98

A playbook is a
checklist of actions to perform to detect and respond to a specific type of incident.

The aim of a runbook is to automate
as many stages of the playbook as possible, leaving clearly defined interaction points
for human analysis.

Question 99

Adversarial Artificial Intelligence

Answer 99

• Machine learning relies on training data to develop analysis capability
• Threat actor may be able to submit tainted samples
• Adversarial AI
• Security of machine learning algorithms