Lesson 17 + 18 Performing Incident Response/Explaining Digital Forensics Flashcards
Incident Response Process
Incident Response Process
- Preparation
- Identification
- Containment
- Eradication
- Recovery.
- Lesson Learned/ Post-Incident Activity
CIRT CSIRT CERT
Large organizations will provide a dedicated team as a single point-of-contact for the notification of security incidents.
This team is variously described as a cyber incident response team (CIRT), computer security incident response team (CSIRT), or computer emergency response team (CERT)
incident response plan (IRP)
incident response plan (IRP) lists the procedures, contacts, and resources available to responders for various incident categories.
playbook (or runbook)
playbook (or runbook) is a data-driven SOP to assist junior analysts in detecting and responding to specific cyber threat scenarios, such as phishing attempts, SQL injection data exfiltration, connection to a blacklisted IP range,
MITRE Corporation’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)
MITRE Corporation’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) -
tags each technique with a unique ID and places it in one or more tactic categories, such as initial access, persistence, lateral movement, or command and control.
The Diamond Model of Intrusion Analysis
The Diamond Model of Intrusion Analysis
a framework to analyze an intrusion event by exploring the relationships between four core features: adversary, capability, infrastructure, and victim.
Disaster recovery plan
Disaster recovery plan
Disaster recovery requires considerable resources, such as shifting processing to a secondary site
Business continuity plan (BCP)
Business continuity plan (BCP)
identifies how business processes should deal with both minor and disaster-level disruption.
During an incident, a system may need to be isolated. Continuity planning ensures that there is redundancy to supporting the workflow, so that when a server is taken offline for security remediation, processing can fail over to a separate system.
Continuity of Operation Planning (COOP)
Continuity of Operation Planning (COOP)
terminology is used for government facilities, but is functionally similar to business continuity planning.
In some definitions, COOP refers specifically to backup methods of performing mission functions without IT support.
retention policy
retention policy
for historic logs and data captures sets the period over which these are retained.
SIEM
A SIEM parses network traffic and log data from multiple sensors, appliances, and hosts and normalizes the information to standard field types.
Correlation
Correlation means interpreting the relationship between individual data points to diagnose incidents of significance to the security team.
A SIEM correlation rule is a statement that matches certain conditions.
sensor
A sensor is a network tap or port mirror that performs packet capture and intrusion detection.
One of the key uses of a SIEM is to aggregate data from multiple sensors and log sources
Trend analysis
Trend analysis
process of detecting patterns or indicators within a data set over a time series and using those patterns to make predictions about future events.
Frequency-based trend analysis
Frequency-based trend analysis establishes a baseline for a metric, such as number of NXERROR DNS log events per hour of the day.
of time / hour
Volume-based trend analysis
Volume-based trend analysis
one simple metric for determining threat level is log volume.
If logs are growing much faster than they were previously, there is a good chance that something needs investigating.
Statistical deviation analysis
Statistical deviation analysis can show when a data point should be treated as suspicious.
Rsyslog
Rsyslog is an open-source software utility used on UNIX and Unix-like computer systems for forwarding log messages in an IP network
can work over TCP and use a secure connection
Syslog-ng
Syslog-ng uses TCP/secure communications and more advanced options for message filtering.
journald
In Linux to view events in journald directly, you can use the journalctl command to print the entire journal log (like syslog)
NXlog
NXlog – open source to collect Windows logs.
XML format and normalizes to a syslog format.
System + Security Logs::
System + Security Logs:
- Application—events generated by applications and services, such as when a service cannot start.
- Security—audit events, such as a failed logon or access to a file being denied.
- System—events generated by the operating system and its services, such as storage volume health checks.
- Setup—events generated during the installation of Windows.
- Forwarded Events—events that are sent to the local log from other hosts.
system memory dump
System memory contains volatile data.
A system memory dump creates an image file that can be analyzed to identify the processes that are running, the contents of temporary file systems, registry data, network connections, cryptographic keys, and more.
Metadata
Metadata is the properties of data as it is created by an application, stored on media, or transmitted over a network.
A number of metadata sources are likely to be useful when investigating incidents, because they can establish timeline questions, such as when and where, as well as containing other types of evidence.
