Lesson 17 Incident Response Flashcards
Incident Response Cycle
PICERL
-will be on test, usually describes scenario and asks what is next step
Note: Can have overlaps in steps
Prep
- have tools and training up to date and ready for use
Identify
- Detection and Analysis (it happened and what happened)
- we have a virus and which virus
- notify stakeholders
Containment
-isolation while limiting immediate impact on customer
Eradication
- Removal and destruction
- Restore to a secure state, apply secure config settings and patches
- Notify stakeholders for remediation
Recovery
- Recover data, bring systems back online
- Go back to Identify, may have not fully recovered
Post-Incident
- lessons learned, documentation
- improve Prep stage, go back to prep stage
Incident Response Plan
List of procedures, contacts, and resources available to responders
Playbooks (or run books) is a data driven standard operating procedure (SOP) to assist in detecting and responding to cyberthreat scenarios
Incident categorization
Prioritization factors
Important to have:
- Minimize Panic
Important to practice:
- provides training and familiarity of plan
Cyber Kill Chain Attack Framework
or
Steps of Attack / Framework
will be on test
Steps of Attack / Framework Reconnaissance / Research Weaponization / Build your attack and tools Delivery / get into; Component Access Exploitation / Breach Security or Activation Installation / Persistence - how to stay Cmd & Control / Reach back to Attacker Actions on Objectives / The Attack
Other Attack Frameworks
MITRE ATT&CK
- Database of TTPs
- Tactic categories
- No explicit sequencing
Diamond Model of Intrusion
- Framework for describing adversary capability and infrastructure plus effect on victim
Incident Response Exercises
Table Top
- Facilitator presents a scenario and then discuss the action to take to identify contain and eradicate the threat
- no actions on live system
Walkthroughs
- Responders demonstrate response actions via running scans and analyzing sample files using a sandbox
Simulators
- Red team performs simulated intrusion
- Blue team operates response and recovery controls
- White team moderates and evaluates
Disaster recovery plan
A plan used to survive and recover from a disaster level event
Business Continuity Plan
A plan outlining mission critical business functions and seeks to provide redundancy for them
COOP
Continuity of Operation Planning (COOP) used for government facilities similar to BCP
Can mean specifically to backup methods of performing mission functions without IT support
Incident Identification
linking events together to know there has been or may be a pending incident
Possible event precursors:
-Establish a baseline though log files, error messages, IDS alerts, firewall alerts
- Compare deviations to established metrics to recognize their scopes
- Manual and physical inspections of site, premises, networks, and hosts
- Notifications from users, customers, suppliers
- Public reporting of vulnerabilities or threats by system vendors, regulator, the media
Out-of-band communication
Use as to not alert an attacker the attack has been detected.
Also allows for a means of communication should the attack be on a form a communication, such as VoIP, email, etc.
SIEM Correlation
Security Information and event management (SIEM) can run correlation rules on indicators extracted from data sources to detect events requiring investigation as potential incidents
Correlation
to interpret the relationship between individual data points to diagnose incidents of significance to the security team
A SIEM can use logical expressions to make correlations and can be connected to threat database feed to make better correlations to current events on the system
Retention
Keeping data for a defined period of time
A SIEM can enact a retention policy for historical log and network traffic data to be kept for a period of time
Allows for retrospective incident and threat hunting as well as for forensic evidence
Trend Analysis
process of detecting patterns or indicators within a data set over a time series and using these patterns to predict future events
SW must aid in this activity due to the sheer amount of data available
Can apply to frequency, volume, or statistical deviation
Frequency establishes a baseline for a metric
Volume can apply to logs, network traffic, or increased disk use or reduced disk space on the endpoint hosts - all indicators which should raise suspicion
Statistical deviation can show where a data point should be treated as suspicion
Syslog
provides an open format, protocol, and server sw for logging event messages
contains:
- a PRI code
- header with timestamp and hostname
- a message part with tag of src process plus content
usually uses UDP port 514
Rsyslog
an updated Syslog with same file syntax but can work over TCP and use a secure connection
more customizable message handling due to more types of filter expressions in the config file
Syslog-ng
uses a different configuration file than syslog but can use TCP/secure communications and more advanced options for message filtering
journald and journalctl
Linux systems use systemd to initialize the system and to start/manage background services.
logs from systemd managed processes are binary files called journald
use journalctl to read the binary log files
NXlog
an open-source log normalization tool
Used to collect Windows logs, which are XML formatted, and then normalize these logs into a syslog format
5 main Categories of Windows event logs
Application
- events generated by applications and services, such as when a service cannot start
Security
- audit events, like failed logon or access to a file being denied
System
- events generated by the OS and its services such as storage volume health checks
Setup
- event generated during installation of Windows
Forwarded events
- events sent to the local log from other hosts
Network logs
Generated from network devices such as routers, firewalls, switches and access points
Records
- operation and status of the appliance
- traffic and access logs for network behavior
examples
host trying to use a port which is blocked by the firewall
endpoint trying t ouse multiple MAC addresses when connected to a switch
Authentication Logs
inspect security logs for authentication attempts for each host
inspect logs from server authorizing logons such as those from RADIUS, TACACS+ servers or Windows Active Directory (AD)
Vulnerability Scan Output
The scan produces a report and should be analyzed to identify vulnerabilities which have not been patched or config weaknesses which have not been addressed
Used by a scan engine to produce a log or alert entry when the report contains a vulnerability
Application Logs
can write to the Event Viewer or syslog or to any application directory selected by the developer
DNS Event Logs
Can provide useful security info:
- types of queries a host made to DNS
- host contacting suspicious IP address ranges or domains
- large number of failed DNS lookups, pointing to computers which are infected with malware, misconfigured, or running obsolete or faulty applications
Web/HTTP Access logs
Inspect for codes where in the 400s are client-based errors and 500s are server based
repeated 403 is forbidden indicating unauthorized user
a 502 (bad gateway) indicating target server and an upstream server communications is blocked or a server is down
Also can inspect HTTP header info to get a sense of the type of request being made, cookie info, MIME types, and User-Agent field (who made the request)
User Agent can be misleading
VoIP and SIP traffic
VoIP uses Session Initiation Protocol (SIP) to identify endpoints to setup the call and uses Real Time Protocol (RTP) to make the call transfer
uses a call manager as a gateway to connecting the endpoints
SIP produces logs similar to SMTP is a common log format
- identifies endpoints, type of connection, and status messaging
- inspection of this log can identify Man in the Middle attacks if an unauthorized proxy is being connected to
Call manager access log can reveal suspicious connections
System memory dump
can identify
- running processes
- contents of temp files
- registry data
- network connections
- cryptographic keys
- means of accessing encrypted data
Meta data for file web email mobile
File metadata is attributes: creation, access, modified times, permissions, hidden or system type file, the ACL
Web metadata is returned resource header settings, type of data returned
Email internet header has many attributes such as sender, receiver address info, message transfer agent (MTA) has lots of info including results of spam checking. Use a tool to view as plain text can be difficult
Mobile metadata contains call detail records (CDR), SMS text times, and the opposite party’s number as well as data transfer volume.
- can use cell tower information to track location history
- CDRs saved by mobile operator for ~18 mos
- might need consent from a BYOD
Protocol Analyzer Output
Used by a SIEM which correlates an event or alert summary to the underlying packet information
- Can help reveal the tools used in an attack
- Can possibly extract binary files such as potential malware for analysis
Network Flow collectors
A flow collector records the metadata and stats about network traffic rather than recording each frame
These tools can
- highlight trends and patterns in traffic from applications, hosts, and ports
- alerts on detection of anomalies, pattern analysis, custom triggers
- create a map of network connection to help interpret patterns of traffic and flow data
- identify rogue user behavior, malware transit, tunneling, applications exceeding allocated bandwidth based on traffic patterns
- identify malware attempts to contact a handler or command control channels
Netflow tools NetFlow/IPFIX and sFlow
NetFlow has been redeveloped to IP flow information Export (IPFIX)
- Cisco developed means of reporting network flow information to a structured database
- several NetFlow monitoring tools are available
- open source tools nfdump/nfsen
sFlow developed by HP and is a web standard which samples network traffic to measure traffic statistics at any layer of the OSI model for a wider range of IPs than the IP based NetFlow
- Can capture the entire packet header for samples
Bandwidth Monitor
Can be reported by flow collectors
High bandwidth indicate data exfiltration
Can also be used on Firewalls and Secure Web Gateways
Isolation Based Containment
Involves removing an affected component from the larger environment
- remove a sever from network
- put app into a sandbox
- air gapping or disabling the switch port
- Black hole
- could disable a users account or application service
Segmentation Based Containment
