Lesson 17 + 18 Performing Incident Response/Explaining Digital Forensics Flashcards
Incident Response Process
Incident Response Process
- Preparation
- Identification
- Containment
- Eradication
- Recovery.
- Lesson Learned/ Post-Incident Activity
CIRT CSIRT CERT
Large organizations will provide a dedicated team as a single point-of-contact for the notification of security incidents.
This team is variously described as a cyber incident response team (CIRT), computer security incident response team (CSIRT), or computer emergency response team (CERT)
incident response plan (IRP)
incident response plan (IRP) lists the procedures, contacts, and resources available to responders for various incident categories.
playbook (or runbook)
playbook (or runbook) is a data-driven SOP to assist junior analysts in detecting and responding to specific cyber threat scenarios, such as phishing attempts, SQL injection data exfiltration, connection to a blacklisted IP range,
MITRE Corporation’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)
MITRE Corporation’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) -
tags each technique with a unique ID and places it in one or more tactic categories, such as initial access, persistence, lateral movement, or command and control.
The Diamond Model of Intrusion Analysis
The Diamond Model of Intrusion Analysis
a framework to analyze an intrusion event by exploring the relationships between four core features: adversary, capability, infrastructure, and victim.
Disaster recovery plan
Disaster recovery plan
Disaster recovery requires considerable resources, such as shifting processing to a secondary site
Business continuity plan (BCP)
Business continuity plan (BCP)
identifies how business processes should deal with both minor and disaster-level disruption.
During an incident, a system may need to be isolated. Continuity planning ensures that there is redundancy to supporting the workflow, so that when a server is taken offline for security remediation, processing can fail over to a separate system.
Continuity of Operation Planning (COOP)
Continuity of Operation Planning (COOP)
terminology is used for government facilities, but is functionally similar to business continuity planning.
In some definitions, COOP refers specifically to backup methods of performing mission functions without IT support.
retention policy
retention policy
for historic logs and data captures sets the period over which these are retained.
SIEM
A SIEM parses network traffic and log data from multiple sensors, appliances, and hosts and normalizes the information to standard field types.
Correlation
Correlation means interpreting the relationship between individual data points to diagnose incidents of significance to the security team.
A SIEM correlation rule is a statement that matches certain conditions.
sensor
A sensor is a network tap or port mirror that performs packet capture and intrusion detection.
One of the key uses of a SIEM is to aggregate data from multiple sensors and log sources
Trend analysis
Trend analysis
process of detecting patterns or indicators within a data set over a time series and using those patterns to make predictions about future events.
Frequency-based trend analysis
Frequency-based trend analysis establishes a baseline for a metric, such as number of NXERROR DNS log events per hour of the day.
of time / hour
Volume-based trend analysis
Volume-based trend analysis
one simple metric for determining threat level is log volume.
If logs are growing much faster than they were previously, there is a good chance that something needs investigating.
Statistical deviation analysis
Statistical deviation analysis can show when a data point should be treated as suspicious.
Rsyslog
Rsyslog is an open-source software utility used on UNIX and Unix-like computer systems for forwarding log messages in an IP network
can work over TCP and use a secure connection
Syslog-ng
Syslog-ng uses TCP/secure communications and more advanced options for message filtering.
journald
In Linux to view events in journald directly, you can use the journalctl command to print the entire journal log (like syslog)
NXlog
NXlog – open source to collect Windows logs.
XML format and normalizes to a syslog format.
System + Security Logs::
System + Security Logs:
- Application—events generated by applications and services, such as when a service cannot start.
- Security—audit events, such as a failed logon or access to a file being denied.
- System—events generated by the operating system and its services, such as storage volume health checks.
- Setup—events generated during the installation of Windows.
- Forwarded Events—events that are sent to the local log from other hosts.
system memory dump
System memory contains volatile data.
A system memory dump creates an image file that can be analyzed to identify the processes that are running, the contents of temporary file systems, registry data, network connections, cryptographic keys, and more.
Metadata
Metadata is the properties of data as it is created by an application, stored on media, or transmitted over a network.
A number of metadata sources are likely to be useful when investigating incidents, because they can establish timeline questions, such as when and where, as well as containing other types of evidence.
flow collector
flow collector is a means of recording metadata and statistics about network traffic rather than recording each frame
NetFlow
NetFlow is a Cisco-developed means of reporting network flow information to a structured database.
sFlow (Developed by HP)
sFlow (Developed by HP) - uses sampling to measure traffic statistics at any layer of the OSI model for a wider range of protocol types than the IP-based Netflow.
sFlow can also capture the entire packet header for samples.
Unexpected bandwidth consumption
Bandwidth usage can be a key indicator of suspicious behavior, if you have reliable baselines for comparison.
Unexpected bandwidth consumption could be evidence of a data exfiltration attack.
Bandwidth usage reported by flow collectors.
Isolation-Based Containment
Isolation involves removing an affected component from whatever larger environment it is a part of.
Mitigation: disconnect the host from the network completely, either by pulling the network plug (creating an air gap) or disabling its switch port.
If a group of hosts is affected, you could use routing infrastructure to isolate one or more infected VLANs in a black hole that is not reachable from the rest of the network.
Another possibility is to use firewalls or other security filters to prevent infected hosts from communicating, isolation could also refer to disabling a user account or application service.
Segmentation-Based Containment:
Segmentation-Based Containment:
means of achieving the isolation of a host or group of hosts using network technologies and architecture.
Segmentation uses VLANs, routing/subnets, and firewall ACLs to prevent a host or group of hosts from communicating outside the protected segment.
Mobile Device Management (MDM)
Mobile Device Management (MDM) provides execution control over apps and features of smartphones.
Features include GPS, camera, and microphone.
security orchestration, automation, and response (SOAR)
security orchestration, automation, and response (SOAR), this task is principally incident response.
SOAR is designed as a solution to the problem of the volume of alerts overwhelming analysts’ ability to respond, measured as the meantime to respond (MTTR)
incident response workflow
An incident response workflow is usually defined as a playbook.
A playbook is a checklist of actions to perform to detect and respond to a specific type of incident
runbook
Aim of a runbook is to automate as many stages of the playbook as possible, leaving clearly defined interaction points for human analysis.
Artificial Intelligence (AI)-type systems
Artificial Intelligence (AI)-type systems
used extensively for user and entity behavior analytics (UEBA).
A UEBA is trained on security data from customer systems and honeypots. This allows the AI to determine features of malicious code and account activity and to recognize those features in novel data streams.
Adversarial AI
Adversarial AI - The attacker may use his or her own AI resources as a means of generating samples
Digital forensics
Digital forensics is the practice of collecting evidence from computer systems to a standard that will be accepted in a court of law
digital evidence is latent
Like DNA or fingerprints, digital evidence is latent. Latent means that the evidence cannot be seen with the naked eye; rather, it must be interpreted using a machine or process, digital forensics requires documentation showing how the evidence was collected and analyzed without tampering or bias
Due process
Due process is a term used in US and UK common law to require that people only be convicted of crimes following the fair application of the laws of the land
Chain of custody documentation
Chain of custody documentation reinforces the integrity and proper handling of evidence from collection, to analysis, to storage, and finally to presentation.
E-discovery
E-discovery is a means of filtering the relevant evidence produced from all the data gathered by a forensic examination and storing it in a database in a format such that it can be used as evidence in a trial.
Digital forensics can be used for information gathering to protect against espionage and hacking. This intelligence is deployed in two different ways:
- Counterintelligence—identification and analysis of specific adversary tactics, techniques, and procedures (TTP) provides information about how to configure and audit active logging systems so that they are most likely to capture evidence of attempted and successful intrusions.
- Strategic intelligence—data and research that has been analyzed to produce actionable insights. These insights are used to inform risk management and security control provisioning to build mature cybersecurity capabilities.
Acquisition
Acquisition is the process of obtaining a forensically clean copy of data from a device held as evidence.
Data acquisition
Data acquisition is also complicated by the fact that it is more difficult to capture evidence from a digital crime scene than it is from a physical one.
Some evidence will be lost if the computer system is powered off; on the other hand, some evidence may be unobtainable until the system is powered off.
Disk Image Acquisition
Static acquisition by shutting down the host
Static acquisition by shutting down the host—this runs the risk that the malware will detect the shutdown process and perform anti-forensics to try to remove traces of itself.
Disk Image Acquisition
Live Acquisition
Live Acquisition: A specialist hardware or software tool can capture the contents of memory while the host is running.
Disk Image Acquisition:
Static acquisition by pulling the plug
Static acquisition by pulling the plug
Means disconnecting the power at the wall socket. This is most likely to preserve the storage devices in a forensically clean state, but there is the risk of corrupting data.
Data recovery
Data recovery refers to analyzing a disk (or image of a disk) for file fragments stored in slack space.
These fragments might represent deleted or overwritten files. The process of recovering them is referred to as carving.