Lesson 17 Incident Response Flashcards

1
Q

Incident Response Cycle
PICERL
-will be on test, usually describes scenario and asks what is next step

A

Note: Can have overlaps in steps

Prep
- have tools and training up to date and ready for use

Identify

  • Detection and Analysis (it happened and what happened)
  • we have a virus and which virus
  • notify stakeholders

Containment
-isolation while limiting immediate impact on customer

Eradication

  • Removal and destruction
  • Restore to a secure state, apply secure config settings and patches
  • Notify stakeholders for remediation

Recovery

  • Recover data, bring systems back online
  • Go back to Identify, may have not fully recovered

Post-Incident

  • lessons learned, documentation
  • improve Prep stage, go back to prep stage
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Incident Response Plan

A

List of procedures, contacts, and resources available to responders
Playbooks (or run books) is a data driven standard operating procedure (SOP) to assist in detecting and responding to cyberthreat scenarios

Incident categorization

Prioritization factors

Important to have:
- Minimize Panic
Important to practice:
- provides training and familiarity of plan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Cyber Kill Chain Attack Framework
or
Steps of Attack / Framework
will be on test

A
Steps of Attack / Framework
Reconnaissance / Research
Weaponization / Build your attack and tools
Delivery / get into; Component Access
Exploitation / Breach Security or Activation 
Installation / Persistence - how to stay
Cmd & Control / Reach back to Attacker
Actions on Objectives / The Attack
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Other Attack Frameworks

A

MITRE ATT&CK

  • Database of TTPs
  • Tactic categories
  • No explicit sequencing

Diamond Model of Intrusion
- Framework for describing adversary capability and infrastructure plus effect on victim

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Incident Response Exercises

A

Table Top

  • Facilitator presents a scenario and then discuss the action to take to identify contain and eradicate the threat
  • no actions on live system

Walkthroughs
- Responders demonstrate response actions via running scans and analyzing sample files using a sandbox

Simulators

  • Red team performs simulated intrusion
  • Blue team operates response and recovery controls
  • White team moderates and evaluates
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Disaster recovery plan

A

A plan used to survive and recover from a disaster level event

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Business Continuity Plan

A

A plan outlining mission critical business functions and seeks to provide redundancy for them

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

COOP

A

Continuity of Operation Planning (COOP) used for government facilities similar to BCP

Can mean specifically to backup methods of performing mission functions without IT support

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Incident Identification

A

linking events together to know there has been or may be a pending incident

Possible event precursors:
-Establish a baseline though log files, error messages, IDS alerts, firewall alerts

  • Compare deviations to established metrics to recognize their scopes
  • Manual and physical inspections of site, premises, networks, and hosts
  • Notifications from users, customers, suppliers
  • Public reporting of vulnerabilities or threats by system vendors, regulator, the media
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Out-of-band communication

A

Use as to not alert an attacker the attack has been detected.

Also allows for a means of communication should the attack be on a form a communication, such as VoIP, email, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

SIEM Correlation

A

Security Information and event management (SIEM) can run correlation rules on indicators extracted from data sources to detect events requiring investigation as potential incidents

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Correlation

A

to interpret the relationship between individual data points to diagnose incidents of significance to the security team

A SIEM can use logical expressions to make correlations and can be connected to threat database feed to make better correlations to current events on the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Retention

A

Keeping data for a defined period of time

A SIEM can enact a retention policy for historical log and network traffic data to be kept for a period of time

Allows for retrospective incident and threat hunting as well as for forensic evidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Trend Analysis

A

process of detecting patterns or indicators within a data set over a time series and using these patterns to predict future events

SW must aid in this activity due to the sheer amount of data available

Can apply to frequency, volume, or statistical deviation

Frequency establishes a baseline for a metric

Volume can apply to logs, network traffic, or increased disk use or reduced disk space on the endpoint hosts - all indicators which should raise suspicion

Statistical deviation can show where a data point should be treated as suspicion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Syslog

A

provides an open format, protocol, and server sw for logging event messages

contains:

  • a PRI code
  • header with timestamp and hostname
  • a message part with tag of src process plus content

usually uses UDP port 514

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Rsyslog

A

an updated Syslog with same file syntax but can work over TCP and use a secure connection

more customizable message handling due to more types of filter expressions in the config file

17
Q

Syslog-ng

A

uses a different configuration file than syslog but can use TCP/secure communications and more advanced options for message filtering

18
Q

journald and journalctl

A

Linux systems use systemd to initialize the system and to start/manage background services.

logs from systemd managed processes are binary files called journald

use journalctl to read the binary log files

19
Q

NXlog

A

an open-source log normalization tool

Used to collect Windows logs, which are XML formatted, and then normalize these logs into a syslog format

20
Q

5 main Categories of Windows event logs

A

Application
- events generated by applications and services, such as when a service cannot start

Security
- audit events, like failed logon or access to a file being denied

System
- events generated by the OS and its services such as storage volume health checks

Setup
- event generated during installation of Windows

Forwarded events
- events sent to the local log from other hosts

21
Q

Network logs

A

Generated from network devices such as routers, firewalls, switches and access points

Records

  • operation and status of the appliance
  • traffic and access logs for network behavior

examples
host trying to use a port which is blocked by the firewall
endpoint trying t ouse multiple MAC addresses when connected to a switch

22
Q

Authentication Logs

A

inspect security logs for authentication attempts for each host

inspect logs from server authorizing logons such as those from RADIUS, TACACS+ servers or Windows Active Directory (AD)

23
Q

Vulnerability Scan Output

A

The scan produces a report and should be analyzed to identify vulnerabilities which have not been patched or config weaknesses which have not been addressed

Used by a scan engine to produce a log or alert entry when the report contains a vulnerability

24
Q

Application Logs

A

can write to the Event Viewer or syslog or to any application directory selected by the developer

25
Q

DNS Event Logs

A

Can provide useful security info:

  • types of queries a host made to DNS
  • host contacting suspicious IP address ranges or domains
  • large number of failed DNS lookups, pointing to computers which are infected with malware, misconfigured, or running obsolete or faulty applications
26
Q

Web/HTTP Access logs

A

Inspect for codes where in the 400s are client-based errors and 500s are server based
repeated 403 is forbidden indicating unauthorized user
a 502 (bad gateway) indicating target server and an upstream server communications is blocked or a server is down

Also can inspect HTTP header info to get a sense of the type of request being made, cookie info, MIME types, and User-Agent field (who made the request)
User Agent can be misleading

27
Q

VoIP and SIP traffic

A

VoIP uses Session Initiation Protocol (SIP) to identify endpoints to setup the call and uses Real Time Protocol (RTP) to make the call transfer

uses a call manager as a gateway to connecting the endpoints

SIP produces logs similar to SMTP is a common log format

  • identifies endpoints, type of connection, and status messaging
  • inspection of this log can identify Man in the Middle attacks if an unauthorized proxy is being connected to

Call manager access log can reveal suspicious connections

28
Q

System memory dump

A

can identify

  • running processes
  • contents of temp files
  • registry data
  • network connections
  • cryptographic keys
  • means of accessing encrypted data
29
Q

Meta data for file web email mobile

A

File metadata is attributes: creation, access, modified times, permissions, hidden or system type file, the ACL

Web metadata is returned resource header settings, type of data returned

Email internet header has many attributes such as sender, receiver address info, message transfer agent (MTA) has lots of info including results of spam checking. Use a tool to view as plain text can be difficult

Mobile metadata contains call detail records (CDR), SMS text times, and the opposite party’s number as well as data transfer volume.

  • can use cell tower information to track location history
  • CDRs saved by mobile operator for ~18 mos
  • might need consent from a BYOD
30
Q

Protocol Analyzer Output

A

Used by a SIEM which correlates an event or alert summary to the underlying packet information

  • Can help reveal the tools used in an attack
  • Can possibly extract binary files such as potential malware for analysis
31
Q

Network Flow collectors

A

A flow collector records the metadata and stats about network traffic rather than recording each frame
These tools can
- highlight trends and patterns in traffic from applications, hosts, and ports
- alerts on detection of anomalies, pattern analysis, custom triggers
- create a map of network connection to help interpret patterns of traffic and flow data
- identify rogue user behavior, malware transit, tunneling, applications exceeding allocated bandwidth based on traffic patterns
- identify malware attempts to contact a handler or command control channels

32
Q

Netflow tools NetFlow/IPFIX and sFlow

A

NetFlow has been redeveloped to IP flow information Export (IPFIX)

  • Cisco developed means of reporting network flow information to a structured database
  • several NetFlow monitoring tools are available
  • open source tools nfdump/nfsen

sFlow developed by HP and is a web standard which samples network traffic to measure traffic statistics at any layer of the OSI model for a wider range of IPs than the IP based NetFlow
- Can capture the entire packet header for samples

33
Q

Bandwidth Monitor

A

Can be reported by flow collectors

High bandwidth indicate data exfiltration

Can also be used on Firewalls and Secure Web Gateways

34
Q

Isolation Based Containment

A

Involves removing an affected component from the larger environment

  • remove a sever from network
  • put app into a sandbox
  • air gapping or disabling the switch port
  • Black hole
  • could disable a users account or application service
35
Q

Segmentation Based Containment

A