Lesson 17 + 18 Performing Incident Response/Explaining Digital Forensics

Question 1

Incident Response Process

Answer 1

Incident Response Process

1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery.
6. Lesson Learned/ Post-Incident Activity

Question 2

CIRT CSIRT CERT

Answer 2

Large organizations will provide a dedicated team as a single point-of-contact for the notification of security incidents.

This team is variously described as a cyber incident response team (CIRT), computer security incident response team (CSIRT), or computer emergency response team (CERT)

Question 3

incident response plan (IRP)

Answer 3

incident response plan (IRP) lists the procedures, contacts, and resources available to responders for various incident categories.

Question 4

playbook (or runbook)

Answer 4

playbook (or runbook) is a data-driven SOP to assist junior analysts in detecting and responding to specific cyber threat scenarios, such as phishing attempts, SQL injection data exfiltration, connection to a blacklisted IP range,

Question 5

MITRE Corporation’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)

Answer 5

MITRE Corporation’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) -

tags each technique with a unique ID and places it in one or more tactic categories, such as initial access, persistence, lateral movement, or command and control.

Question 6

The Diamond Model of Intrusion Analysis

Answer 6

The Diamond Model of Intrusion Analysis

a framework to analyze an intrusion event by exploring the relationships between four core features: adversary, capability, infrastructure, and victim.

Question 7

Disaster recovery plan

Answer 7

Disaster recovery plan

Disaster recovery requires considerable resources, such as shifting processing to a secondary site

Question 8

Business continuity plan (BCP)

Answer 8

Business continuity plan (BCP)

identifies how business processes should deal with both minor and disaster-level disruption.

During an incident, a system may need to be isolated. Continuity planning ensures that there is redundancy to supporting the workflow, so that when a server is taken offline for security remediation, processing can fail over to a separate system.

Question 9

Continuity of Operation Planning (COOP)

Answer 9

Continuity of Operation Planning (COOP)

terminology is used for government facilities, but is functionally similar to business continuity planning.

In some definitions, COOP refers specifically to backup methods of performing mission functions without IT support.

Question 10

retention policy

Answer 10

retention policy

for historic logs and data captures sets the period over which these are retained.

Question 11

SIEM

Answer 11

A SIEM parses network traffic and log data from multiple sensors, appliances, and hosts and normalizes the information to standard field types.

Question 12

Correlation

Answer 12

Correlation means interpreting the relationship between individual data points to diagnose incidents of significance to the security team.

A SIEM correlation rule is a statement that matches certain conditions.

Question 13

sensor

Answer 13

A sensor is a network tap or port mirror that performs packet capture and intrusion detection.

One of the key uses of a SIEM is to aggregate data from multiple sensors and log sources

Question 14

Trend analysis

Answer 14

Trend analysis

process of detecting patterns or indicators within a data set over a time series and using those patterns to make predictions about future events.

Question 15

Frequency-based trend analysis

Answer 15

Frequency-based trend analysis establishes a baseline for a metric, such as number of NXERROR DNS log events per hour of the day.

of time / hour

Question 16

Volume-based trend analysis

Answer 16

Volume-based trend analysis

one simple metric for determining threat level is log volume.

If logs are growing much faster than they were previously, there is a good chance that something needs investigating.

Question 17

Statistical deviation analysis

Answer 17

Statistical deviation analysis can show when a data point should be treated as suspicious.

Question 18

Rsyslog

Answer 18

Rsyslog is an open-source software utility used on UNIX and Unix-like computer systems for forwarding log messages in an IP network

can work over TCP and use a secure connection

Question 19

Syslog-ng

Answer 19

Syslog-ng uses TCP/secure communications and more advanced options for message filtering.

Question 20

journald

Answer 20

In Linux to view events in journald directly, you can use the journalctl command to print the entire journal log (like syslog)

Question 21

NXlog

Answer 21

NXlog – open source to collect Windows logs.

XML format and normalizes to a syslog format.

Question 22

System + Security Logs::

Answer 22

System + Security Logs:

• Application—events generated by applications and services, such as when a service cannot start.
• Security—audit events, such as a failed logon or access to a file being denied.
• System—events generated by the operating system and its services, such as storage volume health checks.
• Setup—events generated during the installation of Windows.
• Forwarded Events—events that are sent to the local log from other hosts.

Question 23

system memory dump

Answer 23

System memory contains volatile data.

A system memory dump creates an image file that can be analyzed to identify the processes that are running, the contents of temporary file systems, registry data, network connections, cryptographic keys, and more.

Question 24

Metadata

Answer 24

Metadata is the properties of data as it is created by an application, stored on media, or transmitted over a network.

A number of metadata sources are likely to be useful when investigating incidents, because they can establish timeline questions, such as when and where, as well as containing other types of evidence.

Question 25

flow collector

Answer 25

flow collector is a means of recording metadata and statistics about network traffic rather than recording each frame

Question 26

NetFlow

Answer 26

NetFlow is a Cisco-developed means of reporting network flow information to a structured database.

Question 27

sFlow (Developed by HP)

Answer 27

sFlow (Developed by HP) - uses sampling to measure traffic statistics at any layer of the OSI model for a wider range of protocol types than the IP-based Netflow.

sFlow can also capture the entire packet header for samples.

Question 28

Unexpected bandwidth consumption

Answer 28

Bandwidth usage can be a key indicator of suspicious behavior, if you have reliable baselines for comparison.

Unexpected bandwidth consumption could be evidence of a data exfiltration attack.

Bandwidth usage reported by flow collectors.

Question 29

Isolation-Based Containment

Answer 29

Isolation involves removing an affected component from whatever larger environment it is a part of.

Mitigation: disconnect the host from the network completely, either by pulling the network plug (creating an air gap) or disabling its switch port.

If a group of hosts is affected, you could use routing infrastructure to isolate one or more infected VLANs in a black hole that is not reachable from the rest of the network.

Another possibility is to use firewalls or other security filters to prevent infected hosts from communicating, isolation could also refer to disabling a user account or application service.

Question 30

Segmentation-Based Containment:

Answer 30

Segmentation-Based Containment:

means of achieving the isolation of a host or group of hosts using network technologies and architecture.

Segmentation uses VLANs, routing/subnets, and firewall ACLs to prevent a host or group of hosts from communicating outside the protected segment.

Question 31

Mobile Device Management (MDM)

Answer 31

Mobile Device Management (MDM) provides execution control over apps and features of smartphones.

Features include GPS, camera, and microphone.

Question 32

security orchestration, automation, and response (SOAR)

Answer 32

security orchestration, automation, and response (SOAR), this task is principally incident response.

SOAR is designed as a solution to the problem of the volume of alerts overwhelming analysts’ ability to respond, measured as the meantime to respond (MTTR)

Question 33

incident response workflow

Answer 33

An incident response workflow is usually defined as a playbook.

A playbook is a checklist of actions to perform to detect and respond to a specific type of incident

Question 34

runbook

Answer 34

Aim of a runbook is to automate as many stages of the playbook as possible, leaving clearly defined interaction points for human analysis.

Question 35

Artificial Intelligence (AI)-type systems

Answer 35

Artificial Intelligence (AI)-type systems

used extensively for user and entity behavior analytics (UEBA).

A UEBA is trained on security data from customer systems and honeypots. This allows the AI to determine features of malicious code and account activity and to recognize those features in novel data streams.

Question 36

Adversarial AI

Answer 36

Adversarial AI - The attacker may use his or her own AI resources as a means of generating samples

Question 37

Digital forensics

Answer 37

Digital forensics is the practice of collecting evidence from computer systems to a standard that will be accepted in a court of law

Question 38

digital evidence is latent

Answer 38

Like DNA or fingerprints, digital evidence is latent. Latent means that the evidence cannot be seen with the naked eye; rather, it must be interpreted using a machine or process, digital forensics requires documentation showing how the evidence was collected and analyzed without tampering or bias

Question 39

Due process

Answer 39

Due process is a term used in US and UK common law to require that people only be convicted of crimes following the fair application of the laws of the land

Question 40

Chain of custody documentation

Answer 40

Chain of custody documentation reinforces the integrity and proper handling of evidence from collection, to analysis, to storage, and finally to presentation.

Question 41

E-discovery

Answer 41

E-discovery is a means of filtering the relevant evidence produced from all the data gathered by a forensic examination and storing it in a database in a format such that it can be used as evidence in a trial.

Question 42

Digital forensics can be used for information gathering to protect against espionage and hacking. This intelligence is deployed in two different ways:

Answer 42

• Counterintelligence—identification and analysis of specific adversary tactics, techniques, and procedures (TTP) provides information about how to configure and audit active logging systems so that they are most likely to capture evidence of attempted and successful intrusions.
• Strategic intelligence—data and research that has been analyzed to produce actionable insights. These insights are used to inform risk management and security control provisioning to build mature cybersecurity capabilities.

Question 43

Acquisition

Answer 43

Acquisition is the process of obtaining a forensically clean copy of data from a device held as evidence.

Question 44

Data acquisition

Answer 44

Data acquisition is also complicated by the fact that it is more difficult to capture evidence from a digital crime scene than it is from a physical one.

Some evidence will be lost if the computer system is powered off; on the other hand, some evidence may be unobtainable until the system is powered off.

Question 45

Disk Image Acquisition

Static acquisition by shutting down the host

Answer 45

Static acquisition by shutting down the host—this runs the risk that the malware will detect the shutdown process and perform anti-forensics to try to remove traces of itself.

Question 46

Disk Image Acquisition

Live Acquisition

Answer 46

Live Acquisition: A specialist hardware or software tool can capture the contents of memory while the host is running.

Question 47

Disk Image Acquisition:

Static acquisition by pulling the plug

Answer 47

Static acquisition by pulling the plug

Means disconnecting the power at the wall socket. This is most likely to preserve the storage devices in a forensically clean state, but there is the risk of corrupting data.

Question 48

Data recovery

Answer 48

Data recovery refers to analyzing a disk (or image of a disk) for file fragments stored in slack space.

These fragments might represent deleted or overwritten files. The process of recovering them is referred to as carving.