Lesson 17 Incident Response Flashcards
Incident Response Cycle
PICERL
-will be on test, usually describes scenario and asks what is next step
Note: Can have overlaps in steps
Prep
- have tools and training up to date and ready for use
Identify
- Detection and Analysis (it happened and what happened)
- we have a virus and which virus
- notify stakeholders
Containment
-isolation while limiting immediate impact on customer
Eradication
- Removal and destruction
- Restore to a secure state, apply secure config settings and patches
- Notify stakeholders for remediation
Recovery
- Recover data, bring systems back online
- Go back to Identify, may have not fully recovered
Post-Incident
- lessons learned, documentation
- improve Prep stage, go back to prep stage
Incident Response Plan
List of procedures, contacts, and resources available to responders
Playbooks (or run books) is a data driven standard operating procedure (SOP) to assist in detecting and responding to cyberthreat scenarios
Incident categorization
Prioritization factors
Important to have:
- Minimize Panic
Important to practice:
- provides training and familiarity of plan
Cyber Kill Chain Attack Framework
or
Steps of Attack / Framework
will be on test
Steps of Attack / Framework Reconnaissance / Research Weaponization / Build your attack and tools Delivery / get into; Component Access Exploitation / Breach Security or Activation Installation / Persistence - how to stay Cmd & Control / Reach back to Attacker Actions on Objectives / The Attack
Other Attack Frameworks
MITRE ATT&CK
- Database of TTPs
- Tactic categories
- No explicit sequencing
Diamond Model of Intrusion
- Framework for describing adversary capability and infrastructure plus effect on victim
Incident Response Exercises
Table Top
- Facilitator presents a scenario and then discuss the action to take to identify contain and eradicate the threat
- no actions on live system
Walkthroughs
- Responders demonstrate response actions via running scans and analyzing sample files using a sandbox
Simulators
- Red team performs simulated intrusion
- Blue team operates response and recovery controls
- White team moderates and evaluates
Disaster recovery plan
A plan used to survive and recover from a disaster level event
Business Continuity Plan
A plan outlining mission critical business functions and seeks to provide redundancy for them
COOP
Continuity of Operation Planning (COOP) used for government facilities similar to BCP
Can mean specifically to backup methods of performing mission functions without IT support
Incident Identification
linking events together to know there has been or may be a pending incident
Possible event precursors:
-Establish a baseline though log files, error messages, IDS alerts, firewall alerts
- Compare deviations to established metrics to recognize their scopes
- Manual and physical inspections of site, premises, networks, and hosts
- Notifications from users, customers, suppliers
- Public reporting of vulnerabilities or threats by system vendors, regulator, the media
Out-of-band communication
Use as to not alert an attacker the attack has been detected.
Also allows for a means of communication should the attack be on a form a communication, such as VoIP, email, etc.
SIEM Correlation
Security Information and event management (SIEM) can run correlation rules on indicators extracted from data sources to detect events requiring investigation as potential incidents
Correlation
to interpret the relationship between individual data points to diagnose incidents of significance to the security team
A SIEM can use logical expressions to make correlations and can be connected to threat database feed to make better correlations to current events on the system
Retention
Keeping data for a defined period of time
A SIEM can enact a retention policy for historical log and network traffic data to be kept for a period of time
Allows for retrospective incident and threat hunting as well as for forensic evidence
Trend Analysis
process of detecting patterns or indicators within a data set over a time series and using these patterns to predict future events
SW must aid in this activity due to the sheer amount of data available
Can apply to frequency, volume, or statistical deviation
Frequency establishes a baseline for a metric
Volume can apply to logs, network traffic, or increased disk use or reduced disk space on the endpoint hosts - all indicators which should raise suspicion
Statistical deviation can show where a data point should be treated as suspicion
Syslog
provides an open format, protocol, and server sw for logging event messages
contains:
- a PRI code
- header with timestamp and hostname
- a message part with tag of src process plus content
usually uses UDP port 514