Operations and Incident Response

Question 1

Determine the route a packet takes to a destination
- Map the entire path

Takes advantage of ICMP Time to Live Exceeded error message
- The time in TTL refers to hops, not seconds or minutes
- TTL=1 is the first router, TTL=2 is the second router, etc.

Not all devices will reply with ICMP Time Exceeded messages
- Some firewalls filter ICMP
- ICMP is low-priority for many devices

Answer 1

traceroute\tracert

Question 2

Lookup information from DNS servers
- Canonical names, IP addresses, cache timers, etc.

Both windows and POSIX-based
- Lookup names and IP addresses
- Deprecated

Answer 2

nslookup

Question 3

Lookup information from DNS servers
- Canonical names, IP addresses, cache timers, etc.

More advanced domain information

Answer 3

dig

Question 4

Most of your troubleshooting starts with your IP address
- Ping your local router/gateway

Determine TCP/IP and network adapter information
- And some additional IP details

Answer 4

ipconfig - Windows
ifconfig - Linux

Question 5

Network mapper
- Find and learn more about network devices

Port scan
- Find devices and identify open ports

Operating system scan
- Discover the OS without logging in to a device

Service scan
- What service is available on a device?
- Name, version, details

Additional scripts
- Extended capabilities, vulnerability scans

Answer 5

Nmap

Question 6

Test reachability
- Determine round-trip home
- Uses Internet Control Message Protocol (ICMP)

One your primary primary troubleshooting tools

Answer 6

ping

Question 7

Combine ping and traceroute
- Included with Windows NT and later

First phase runs a traceroute
- Build a map

Second phase
- Measure route trip time and packet loss at each hop

Answer 7

pathping

Question 8

TCP/IP packet assembler/analyzer
- A ping that can send almost anything

Ping a device
- ICMP, TCP, UDP

Send crafted frames
- Modify all IP, TCP, UDP, and ICMP values

A powerful tool
- It’s easy to accidentally flood and DoS

Answer 8

hping

Question 9

Network statistics
- Many different operating systems

Answer 9

netstat

Question 10

Show all active connections

Answer 10

netstat -a

Question 11

Show binaries

Answer 11

netstat -b

Question 12

Do not resolve names

Answer 12

netstat -n

Question 13

“Read” or “write” to the network
- Open a port and send or receive some traffic

Many different functions
- Listen on a port number
- Transfer data
- Scan ports and send data to a port

Become a backdoor
- Run a shell from a remote device

Other alternatives and OSes - Ncat

Answer 13

netcat

Question 14

Search a network for IP addresses
- Locate active devices
- Avoid doing work on an IP address that isn’t there

Many different techniques
- ARP (if on the local subnet)
- ICMP requests (ping)
- TCP ACK
- ICMP timestamp requests

A response means more recon can be done
- Keep gathering information - Nmap, hping, etc

Answer 14

IP scanners

Question 15

Determine a MAC address based on an IP address
- You need the hardware address to communicate

Answer 15

Address Resolution Protocol

Question 16

View local ARP table

Answer 16

arp -a

Question 17

View the device’s routing table
- Find out which way the packets will go

Answer 17

route print - Windows
netstat -r - Linux and MAC

Question 18

Client URL
- Retrieve data using a URL
- Uniform Resource Locator
- Web pages, FTP, emails, databases, etc.

Grab the raw data
- Search
- Parse
- Automate

Answer 18

curl

Question 19

Gather OSINT
- Open-Source Intelligence

Scrape Information from Google or Bind
- Find associated IP addresses

List of people from Linkedin
- Names and titles

Find PGP keys by email domain
- A list of email contacts

DNS brute force
- Find those unknown hosts; vpn, chat, mail, partner, etc.

Answer 19

theHarvester

Question 20

Combine many recon tools into a single framework
- densenum, metasploit, nmap, theHarvester, and much more

Both non-intrusive and very intrusive scanning options
- You choose the volume

Another tool that can cause problems
- Brute force, server scanning, etc
- Make sure you know what you’re doing

Answer 20

sn1per

Question 21

Run port scans from a different host
- Port scan proxy

Many different services
- Choose the option for scan origination
- Your IP is hidden as the scan source

Answer 21

scanless

Question 22

Enumerate DNS information
- Find host names

View host information from DNS servers
- Many services and hosts are listed in DND

Find host names in Google
- More hosts can probably be found in the index

Answer 22

dnsenum

Question 23

Industry leader in vulnerability scanning
- Extensive support
- Free and commercial options

Identify known vulnerabilities
- Find systems before they can be exploited

Extensive reporting
- A checklist of issues
- Filter out the false positives

Answer 23

Nessus

Question 24

A sandbox for malware
- Test a file in a safe environment

A virtualized environment
- Windows, Linux, macOS, Android

Track and trace
- API calls, network traffic, memory analysis
- Traffic captures
- Screenshots

Answer 24

Cuckoo

Question 25

View the first part of a file

Use -n to specify the number of lines

Answer 25

head

Question 26

View the last part of a file

Use -n tp specify the number of lines

Answer 26

tail

Question 27

Concatenate
- Link together in a series

Copy a file/files to another file

Answer 27

cat

Question 28

Find text in a file
- Search through many files at a time

Answer 28

grep

Question 29

Change mode of a file system object
- r=read, w=write, x=execute
- Can also use octal notations
- Set for the file owner (u), the group (g), others (o), or all (a)

Answer 29

chmod

Question 30

User = read, write, and execute
Group = read only
Others = read only

Answer 30

chmod 744

Question 31

Add entries to the system log
- syslog

Adding to the local syslog file

Useful for including information in a local or remote syslog file
- Include ad part of an automation script
- Log an important event

Answer 31

logger

Question 32

Encrypted console communication

TCP port 22

Looks and acts the same as Telnet

Answer 32

Secure Shell (SSH)

Question 32

Command line for system administrators
- ps1 file extension
- Included with Windows 8/8.1 and 10

Extend command-line functions
- Uses cmdlets (command-lets)
- Standalone executables

Automate and integrate
- System administration
- Active domain registration

Answer 32

Windows PowerShell

Question 33

General-purpose scripting language
- .py file extension

Popular in many technologies
- Broad appeal and support

Answer 33

Python

Question 34

A toolkit and crypto library for SSL/TLS
- Build certificates, manage SSL/TLS communication

Create X.509 certificates
- Manage certificate signing requests (CSRs) and certificate revocation lists (CRLs)

Message digests
- Support for many hashing protocols

Encryption and Decryption
- SSL/TLS for services

Answer 34

OpenSSL

Question 35

A suite of packet replay utilities
- Replay and edit packet captures
- Open source

Test security devices
- Check IPS signatures and firewall rules

Test and tune IP Flow/Netflow devices
- Send hundreds of thousands of traffic flows per second

Answer 35

Tcpreplay

Question 36

Capture packets from the command line
- Display packets on the screen
- Write packets to a file

Answer 36

tcpdump

Question 37

Graphical packet analyzer
- Get into the details

Gathers frames on the network
- Or in the air

Sometimes built into the device
- View traffic patterns
- Identify unknown traffic
- Verify packet filtering and security controls

Extensive decodes
- View the application traffic

Answer 37

Wireshark

Question 38

Create a bit-by-bit copy of a drive
- Used by many forensics tools

Create a disk image
- dd if=/dev/sda of =/tmp/sda-image.img

Restore from an image
- dd if=/tmp/sda-image.img of=/dev/sda

Answer 38

dd

Question 39

Copy information in system memory to the standard output stream
- Everything that happens is in memory
- Many third-part tools can read a memory dump

Copy to another host across the network
- Use netcat, stunnel, openssl, etc.

Answer 39

memdump

Question 40

A universal hexadecimal editor for Windows OS

Edit disks, files, RAM
- Includes data recovery features

Disk cloning
- Drive replication

Secure wipe
- Hard drive cleaning

Much more
- A full-featured forensics tools

Answer 40

Winhex

Question 41

AccessData forensic drive imaging tool
- Includes file utilities and read-only image mounting
- Windows executable

Widely supported in many forensics tools
- Third-party analysis

Support for many different file systems and full disk encryption methods
- Investigator still needs the password

Can also import other image formats
- dd, Ghost, Expert Witness, etc.

Answer 41

FTK Imager

Question 42

Perform digital forensics of hard drives, smartphones
- View and recover data from storage devices

Extract many different data types
- Downloaded files
- Browser history and cache
- Email messages
- Databases
- Much more

Answer 42

Autopsy

Question 43

A pre-built toolkit for exploitations
- Build custom attacks
- Add more tools as vulnerabilities are found
- Increasingly powerful utilities

Metasploit
- Attack known vulnerabilities

The Social-Engineer Toolkit (SET)
- Spear phishing,, infectious media generator

Answer 43

Exploitation frameworks

Question 44

The keys to the kingdom
- Find the passwords

Online cracking
- Try username/password combinations

Offline cracking
- Brute force a hash file

Limitations
- Password complexity/strength (entropy)
- Hashing method and CPU power
- Graphics processors are useful hardware tools

Answer 44

Password crackers

Question 45

Completely remove data
- No usable information remains

Many different use cases
- Clean a hard drive for future use
- Permanently delete a single file

A one-way trip
- Once it’s gone, it’s really gone
- No recovery with forensics tools

Answer 45

Data sanitization

Question 46

User clicks an email attachment and execute malware
- Malware then communicates with external servers

DDos
- Botnet attack

Confidential information is stolen
- Thief wants money or it goes public

User installs peer-to-peer software and allows external access to internal servers

Answer 46

Security incidents

Question 47

Specialized group, trained and tested

Answer 47

Incident response team

Question 48

Corporate support

Answer 48

IT security management

Question 49

Intricate knowledge of compliance rules

Answer 49

Compliance officers

Question 50

Your team in the trenches

Answer 50

Technical staff

Question 51

National Institute of Standards and Technology
- Computer security incident

The incident response lifecycle
- Preparation
- Detection and Analysis
- Containment, Eradication, and Recovery
- Post-incident Activity

Answer 51

NIST SP800-61

Question 52

Communication methods
- Phones and contact information

Incident handling hardware and software
- Laptops, removable media, forensic software, digital cameras, etc

Incident analysis resources
- Documentation, network diagrams, baselines, critical file hash values

Incident mitigation software
- Clean OS and application images

Policies needed for incident handling
- Everyone knows what to do

Answer 52

Preparation (Step 1 of Incident Response lifecycle)

Question 53

Many different sources
- Different levels of detail, different levels of perception

A large amount of “volume”
- Attacks are incoming all the time
- How do you identify the legitimate threats?

Incidents are almost always complex
- Extensive knowledge needed

Answer 53

Detection (Step 2 of Incident Response lifecycle)

Question 54

An incident might occur in the future
- This is your heads-up

Web server log
- Vulnerability scanner in use

Exploit announcement
- Monthly Microsoft patch release
- Adobe Flash update

Direct threats
- A hacking group doesn’t like you

Answer 54

incident precursors (Step 2 of Incident Response lifecycle)

Question 55

An attack is underway
- Or an exploit is successful

Buffer overflow attempt
- Identified by an intrusion detection/prevention system

Anti-virus software identifies malware
- Deletes from OS and notifies administrator

Host-based monitor detects a configuration change
- Constantly monitors system files

Network traffic flows deviate from the norm
- Requires constant monitoring

Answer 55

Incident indicators (Step 2 of Incident Response lifecycle)

Question 56

Generally a bad idea to let things run their course
- An incident can spread quickly
- It’s your fault at that point

Sandboxes
- An isolated operating system
- Run malware and analyze the results
- Clean out the sandbox when done

Can sometimes be problematic
- Malware or infections can monitor connectivity
- When connectivity is lost, everything could be deleted/encrypted/damaged

Answer 56

Isolation and containment (Step 3 of Incident Response lifecycle)

Question 57

Get things back to normal
- Remove the bad, keep the good

Eradicate the bug
- Remove malware
- Disable breached user accounts
- Fix vulnerabilities

Recover the system
- Restore from backups
- Rebuild from scratch
- Replace compromised files
- Tighten down the perimeter

Answer 57

Recover (Step 3 of Incident Response lifecycle)

Question 58

A phased approach
- It’s difficult to fix everything at once

Recovery may take months
- Large-scale incidents require a large amount of work

The plan should be efficient
- Start with quick, high-value security changes
- Patches, firewall policy changes
- Later phases involve much “heavier lifting”
- Infrastructure changes, large-scale security rollouts

Answer 58

Reconstitution (Step 4 of Incident Response lifecycle)

Question 59

Learn and improve
- No system is perfect

Post-incident meeting
- Invite everyone affected by the incident

Don’t wait too long
- Memories fade over time
- Some recommendations can be applied to the next event

Answer 59

Lessons learned (Step 4 of Incident Response lifecycle)

Question 60

Test yourselves before an actual event
- Scheduled update sessions (annual, semi-annual, etc)

Use well-defined rules of engagement
- Do not touch the production systems

Very specific scenario
- Limited time to run the event

Evaluate response
- Document and discuss

Answer 60

Exercise

Question 61

Performing a full-scale disaster drill can be costly
- And time consuming

Many of the logistics can be determined through analysis
- You don’t physically have to go through a disaster or drill

Get key players together for a tabletop exercise
- Talk about a simulated disaster

Answer 61

Tabletop exercises

Question 62

Include responders
- A step beyond a tabletop exercise
- Many moving parts

Test processes and procedures before an event
- Walk through each step
- Involve all groups
- Reference actual response materials

Identifies actual faults or missing steps
- The walkthrough applies the concepts from the tabletop exercise

Answer 62

Walkthroughs

Question 63

Test with a simulated event
- Phishing attack, password requests, data breaches

Going phishing
- Create a phishing email attack
- Send to your actual user community
- See who bites

Test internal security
- Did the phishing get past the filter

Test the users
- Who clicked?
- Additional training may be required

Answer 63

Simulation

Question 64

Keeping a good ongoing relationship with customers of IT
- These can be internal or external customers
- An incident response will require teamwork
- Without the stakeholder, IT would not exist

Most of this happens prior to an incident
- Ongoing communication and meetings
- Exercises should include the customers

Continues after the incident
- Prepare for the next event

Answer 64

Stakeholder management

Question 65

Get your contact list together
- There are a lot of people in the loop

Corporate/Organization
- CIO/Head of Information Security/Internal Response Teams

Internal non-IT
- Human resources, public affairs, legal department

External contacts
- System owner, law enforcement
- US-CERT (for U.S. Government agencies)

Answer 65

Communication plan

Question 66

If a disaster happens, IT should be ready
- Part of the business continuity plan
- Keep the organization up and running

Disasters are many and varied
- Natural disasters
- Technology or system failures
- Human-created disasters

A comprehensive plan
- Recovery location
- Data recovery method
- Application restoration
- IT team and employee availability

Answer 66

Disaster recovery plan

Question 67

Not everything goes according to plan
- Disasters can cause a disruption to the norm

We rely on our computer systems
- Technology is pervasive

There needs to be an alternative
- Manual transactions
- Paper receipts
- Phone calls for transaction approvals

These must be documented and tested before a problem occurs

Answer 67

Continuity of operations planning (COOP)

Question 68

Receives, reviews, and responds
- A predefined group of professionals

Determine what type of events require a response
- A virus infection? Ransomware? DDoS?

May or may not be part of the organizational structure
- Pulled together on an as-needed basis

Focuses on incident handling
- Incident response, incident analysis, incident reporting

Answer 68

Incident response team

Question 69

Backup your data
- How much and where? Copies, versions of copies, lifecycle of data, purging old data

Regulatory compliance
- A certain amount of data backup may be required

Operational needs
- Accidental deletion, disaster recovery

Differentiate by type and application
- Recover the data you need where you need it

Answer 69

Retention policies

Question 70

A constantly moving chessboard
- The rules are also constantly changing

Response and intelligence teams need assistance
- Gather and maintain ongoing reconnaissance

Understand attacks
- Many different vectors

Access the risk in an organization
- Determine if the risk exists
- Use appropriate mitigation

Answer 70

Attacks and responses

Question 71

Determine the actions of an attacker
- Identify points of intrusion
- Understand methods used to move around
- Identify potential security techniques to block future attacks

Answer 71

MITRE ATT&CK framework

Question 72

Designed by the intelligence community
- Guide analysts to help understand intrusions
- Integrates well with other frameworks

Apply scientific principles to intrusion analysts
- Measurement, testability, and repeatability
- Appears simple but is remarkably complex

An adversary deploys a capability over some infrastructure against a victim
- Use the model to analyze and fill in the details

Answer 72

Diamond Model of Intrusion Analysis

Question 73

Seven phases of a cyber attack
- A military concept

Answer 73

Cyber Kill Chain

Question 74

The scanner looks for everything
- The signatures are the key

The vulnerabilities can be cross-referenced online
- Almost all scanners give you a place to go

Some vulnerabilities cannot be definitively identified
- You’ll have to check manually to see if a system is vulnerable
- But the scanner gives you a heads-up

Answer 74

Identity vulnerability

Question 75

Lack of security controls
- No firewall
- No anti-virus
- No anti-spyware

Micro configurations
- Open shares
- Guess access

Real vulnerabilities
- Especially newer ones
- Occasionally the old ones

Answer 75

Vulnerability scan results

Question 76

A vulnerability is identified that doesn’t really exist

This is different than a low-severity vulnerability
- It’s real but it may not be your highest priority

Update to the latest signatures
- If you don’t know about it, you can’t see it

Work with the vulnerability detection manufacturer
- They may need to update their signatures for your environment

Answer 76

False positives

Question 77

A vulnerability exists, but you didn’t detect it

Answer 77

False negative

Question 78

Logging of security events and information

Security alerts
- Real-time information

Log aggregation and long-term storage
- Usually includes advanced reporting features

Data correlation
- Link diverse data types

Forensic analysis
- Gather details after an event

Getting the data
- Sensors and logs
* Operating systems
* Infrastructure devices
* Netflow sensors
-Sensitivity settings
* Easy to be overwhelmed with data
* Some information is unnecessary
* Informational, Warning, urgent

Viewing the data
- Trends
* Identify changes over time
* Easily view constant attack metrics
- Alerts
* Identify a security event
* View raw data
* Visualize the log information
- Correlation
* Combine and compare
* View data in different ways

Answer 78

Security Information and Event Management (SIEM)

Question 79

Switches, routers, access points, VPN concentrators
- And other infrastructure devices

Network changes
- Routing updates
- Authentication issues
- Network security issues

Answer 79

Network log files

Question 80

Operating system information
- Extensive logs
- File system information
- Authentication details

Can also include security events
- Monitoring apps
- Brute force, file changes

May require filtering
- Don’t forward everything

Answer 80

System log files

Question 81

Specific to the application
- Information varies widely

Windows - Event Viewer / Application Log

Linux / macOS - /var/log

Parse the log details on the SIEM
- Filter out unneeded info

Answer 81

Application log files

Question 82

Detailed security-related information
- Blocked and allowed traffic flows
- Exploit attempts
- Blocked URL categories
- DNS sinkhole traffic

Security devices
- IPS, firewall, proxy

Critical security information
- Documentation of every traffic flow
- Summary of attack info
- Correlate with other logs

Answer 82

Security log files

Question 83

Web server access
- IP address, web page URL

Access errors
- Unauthorized or non-existent folders/files

Exploit attempts
- Attempt to access files containing known vulnerabilities

Server activity
- Startup and shutdown notices
- Restart messages

Answer 83

Web log files

Question 84

View lookup requests
- And other DNS queries

IP address of the request
- The request FQDN or IP

Identify queries to known bad URLs
- Malware sites, known command and control domains

Block or modify known bad requests at the DNS server
- Log the results
- Report on malware activity

Answer 84

DNS log files

Question 85

Know who logged in (or didn’t)
- Account names
- Source IP address
- Authentication methods
- Success and failure reports

Identify multiple failures
- Potential brute force attacks

Correlate with other events
- File transfers
- Authentications to other devices
- Application installation

Answer 85

Authentication log files

Question 86

Store all contents of memory into a diagnostic file
- Developers can use this info

Easy to create
- Windows Task Manager > Right click > Create dump file

Some applications have their own process
- Contact the appropriate support team for additional details

Answer 86

Dump files

Question 87

View inbound and outbound call info
- Endpoint details, gateway communication

Security information
- Authentications, audit trails

SIP traffic logs
- Session Initiation Protocol
- Call setup, management, and teardown
- Inbound and outbound calls
- Alert on unusual numbers or country codes

Answer 87

VoIP and Call Manager logs

Question 88

Standard for message logging
- Diverse systems create a consolidated log

Usually a central logging receiver
- Integrated into the SIEM

Each log entry is labeled
- Facility code (program that created the log) and severity level

Options
- Rsyslog - “Rocket-fast System for log processing”
- syslog-ng - A popular syslog daemon with additional filtering and storage options
- NXLog - Collection from many diverse log types

Answer 88

Syslog

Question 89

Linux has a lot of logs
- The OS, daemons, applications, etc

System logs are stored in a binary format
- Optimized for storage and queries
- Can’t read them with a text editor

Provides a method for querying the system journal
- Search and filter
- View as plain text

Answer 89

journalctl

Question 90

The fundamental network statistic
- Percentage of network use over time

Many different ways to gather this metric
- SNMP, NetFlow, sFlow, IPFIX protocol analysis, software agent

Identify fundamental issues
- Nothing works properly if bandwidth is highly utilized

Answer 90

Bandwidth monitors

Question 91

Data that describes other data sources

Email
- Header details, sending servers, destination address

Mobile - Type of phone, GPS location

Web - Operating system, browser type, IP address

Files - Name, address, phone numbers, title

Answer 91

Metadata

Question 92

Gather traffic statistics from all traffic flows
- Shared communication between devices
- Standard collection method
- Many products and options

Probe and collector
- Probe watches network communication
- Summary records are sent to the collector

Usually a separate reporting app
- Closely tied to the collector

Answer 92

NetFlow

Question 93

A newer, NetFlow-based standard
- Evolved from NetFlow v9

Flexible data support
- Templates are used to describe the data

Answer 93

IP Flow Information Export (IPFIX)

Question 94

Only a portion of the actual network traffic
- So, technically not a flow

Usually embedded in the infrastructure
- Switches, routers
- Sampling usually occurs in the hardware/ASICs

Relatively accurate statistics
- Useful information regarding video streaming and high-traffic applications

Answer 94

sFlow

Question 95

Solve complex application issues
- Get into the details

Gathers packets on the network
- Or in the air
- Sometimes built into the device

View detailed traffic information
- Identify unknown traffic
- Verify packet filtering and security controls
- View a plain-language description of the application data

Answer 95

Protocol analyzer output

Question 96

The end user device
- Desktop PC, laptop, tablet, phone, etc.

Many ways to exploit a system
- OS vulnerability, malware, user intervention

Security team has to cover all of the bases
- Recognize and react to any malicious activity

Answer 96

The endpoint

Question 97

Any application can be dangerous
- Vulnerabilities, trojan horses, malware
- Security policy can control app execution

Approved list
- Nothing runs unless it’s approved
- Very restrictive

Blocklist/deny list
- Nothing on the “bad list” can be executed
- Anti-virus, anti-malware

Quarantine
- Anything suspicious can be moved to a safe area

Answer 97

Application approved/deny lists

Question 98

Decisions are made in the operating system
- Often built-in to the operating system management
- Application hash

Only allows applications with this unique identifier

Certificate
- Allow digitally signed apps from certain publishers

Path
- Only run applications in these folders

Network zone
- The apps can only run from this network zone

Answer 98

Examples of application approval lists

Question 99

Manage application flows

Block dangerous applications

Answer 99

Firewall rules

Question 100

Enable or disable phone and tablet functionality

Regardless of physical location

Answer 100

Mobile Device Manager (MDM)

Question 101

Block transfer of personally identifiable information (PII) or sensitive data

Credit card numbers, social security numbers, etc.

Answer 101

Data Loss Prevention (DLP)

Question 102

Limit access to untrusted websites

Block known malicious sites

Large blocklists are used to share suspicious URLs

Answer 102

Content filter/URL filter

Question 103

Manage device certificates to verify trust

Revoking a certificate effectively removes access

Answer 103

Updating or revoking certificates

Question 104

Administratively isolate a compromised device from everything else
- Prevent the spread of malicious software
- Prevent remote access or C2 (Command and Control)

Answer 104

Isolation

Question 105

Isolation to a remediation LAN

No communication to other devices

Answer 105

Network isolation

Question 106

Limit application execution

Prevent malicious activity but allow device management

Answer 106

Process isolation

Question 107

Run each application in its own sandbox

Limit interaction with the host operating system and other applications

Ransomware would have no method of infection

Contains the spread of a multi-device security event, i.e., ransomware
- Disable administrative shares
- Disable remote management
- Disable local account access and change local administrator password

Answer 107

Application containment

Question 108

Separate the network
- Prevent unauthorized movement
- Limit the scope of a breach

Answer 108

Segmentation

Question 109

Integrate third-party tools and data sources

Make security teams more effective

Answer 109

Security Orchestration, Automation, and Response (SOAR)

Question 110

Linear checklist of steps to perform

Step-by-step approach to automation

Reset a password, create a website certificate, back up application data

Answer 110

Runbooks

Question 111

Conditional steps to follow; a broad process

Investigate a data breach, recover from ransomware

Answer 111

Playbooks

Question 112

Collect and protect information relating to an intrusion
- Many different data sources and protection mechanisms

Standard digital forensic process
- Acquisition, analysis, and reporting

Must be detail oriented
- Take extensive notes

Answer 112

Digital forensics

Question 113

A legal technique to preserve relevant information
- Prepare for impending litigation
- Initiated by legal counsel

Hold notification
- Records custodians are instructed to preserve data

Separate repository for electronically stored information (ESI)
- Many different data sources and types
- Unique workflow and retention requirements

Ongoing preservation
- Once notified, there’s an ongoing obligation to preserve data

Answer 113

Legal hold

Question 114

A moving record of the event
- Gathers information external to the computer and network

Captures the status of the screen and other volatile information
- Today’s mobile video devices are remarkable

Don’t forget security cameras and your phone

The video content must also be archived
- May have some of the most important record of information

Answer 114

Capture video

Question 115

Not all data can be used in a court of law
- Different rules in different jurisdictions

Legal authorization
- Search and seizure of information

Procedures and tools
- The correct tools used the correct way

Laboratories
- Proper scientific principles used to analyze the evidence

Technical and academic qualifications
- Competence and qualifications of experts

Answer 115

Admissibility

Question 116

Control evidence
- Maintain integrity

Everyone who contacts the evidence
- Use hashes
- Avoid tampering

Label and catalog everything
- Digitally tag all items for ongoing documentation
- Seal and store

Answer 116

Chain of custody

Question 117

The time zone determines how the time is displayed
- Document the local device settings

Different file systems store timestamps differently
- FAT: Time is stored in local time
- NTFS: Time is stored in GMT

Record the time offset from the operating system
- The Windows Registry
- Many different values (daylight savings time, time change information, etc)

Answer 117

Recording time offsets

Question 118

System logs
- Documents important operating system and application events

Export and store for future reference
- Filter and parse

Log store
- Linux: /var/log
- Windows: Event Viewer

Answer 118

Event logs

Question 119

Who might have seen this?
- You won’t know until you ask

Interview and document
- These folks might not be around later

Not all witness statements are 100% accurate
- Humans are fallible

Answer 119

Interviews

Question 120

Document the findings
- For Internal use, legal proceedings, etc

Summary information
- Overview of the security incident

Detailed explanation of data acquisition
- Step-by-step method of the process

The findings
- An analysis pf tje data

Conclusion
- Professional result, given the analysis

Answer 120

Reports

Question 121

How long does data stick around?
- Some media is much more volatile than others
- Gather data in order from the most volatile to less volatile

Order most to least volatile:
1) CPU registers, CPU cache
2) Router table, ARP cache, process table, kernel statistics, memory
3) Temporary file systems
4) Disk
5) Remote logging and monitoring data
6) Physical configuration, network topology
7) Archival media

Answer 121

Order of volatility

Question 122

Copy everything on a storage drive
- Hard drive, SSD, flash drive

Drive image preparation
- Power down to prevent changes
- Remove storage drive

Connect to imaging device
- With write-protection

Forensic clone
- Bit-for-bit copy
- Preserve all data (even the “deleted” data)

Answer 122

Disk

Question 123

A difficult target to capture
- Changes constantly
- Capturing data changes the data

Memory dump
- Grab everything
- Many third-party tools

Important data
- Browser history
- Clipboard information
- Encryption keys
- Command history

Answer 123

Random Access Memory (RAM)

Question 124

Used by different operating systems
- Slightly different usage in each

A place to store RAM when memory is depleted
- There’s a lot more space on the storage device
- Transfer pages of RAM to a storage device

Can also contain portions of an application
- Page out portions that aren’t in use

Contains data similar to a RAM dump
- Anything active on the system

Answer 124

Swap/pagefile

Question 125

OS files and data
- May have been modified

Core operating system
- Executable files and libraries
- Can be compared later to known-good files
- Usually captured with a drive image

Other OS data
- Logged in users
- Open ports
- Processes currently running
- Attached device list

Answer 125

Operating System

Question 126

Mobile device and tablets
- A more challenging forensics task

Capture data
- Use an existing backup file
- Transfer image over USB

Data
- Phone calls
- Contact information
- Text messages
- Email data
- Images and movies

Answer 126

Device

Question 127

Extract the device firmware
- Rootkits and exploited hardware device
- A reprogrammed firmware or ROM

Specific to the platform
- Firmware implementations vary widely

Attacker gains access to the device
- Maintains access through OS updates

Data dictionary
- Exploit data
- Firmware functionality
- Real-time data

Answer 127

Firmware

Question 128

Generally associated with virtual machines
- A point-in-time system image

Incremental between snapshots
- Original image is the full backup
- Each snapshot is incremented from the last
- Restoring requires the original and all snapshots

Contains all files and information about a VM
- Similar to the system image
- Operating system, applications, user data, etc

Answer 128

Snapshot

Question 129

Store data for use later
- Often used to increase performance
- Many different caches (CPU, disk, Internet, etc.)

Can contain specialized data
- CPU cache is very short-term instruction storage

Some data may never be used
- Erased after a specified timeframe or when the cache is full
- Browser caches are often long-lived

Data
- URL locations
- Browser page components (text, images)

Answer 129

Cache

Question 130

Gather information about and from the network
- Network connections, packet captures

Inbound and outbound sessions
- OS and application traffic

Packet data
- Capture raw network data
- May include long-term packet captures

Third-party packet captures
- Firewalls, IPS, etc.

Answer 130

Network

Question 131

Digital items left behind
- Every contact leaves a trace
- May not be obvious to access

Artifact locations
- Log information
- Flash memory
- Prefetch cache files
- Recycle Bin
- Browser bookmarks and login

Answer 131

Artifacts

Question 132

Adding complexity to the digital forensics process
- Cloud technologies

Technical challenges
- Devices are not totally in your control
- There may be limited access
- Associate data with a specific user

Legal issues
- Laws are different around the world
- The rules may not be immediately obvious

Answer 132

Forensics in the cloud

Question 133

Common to work with business partners
- Data sharing
- Outsourcing

Cloud computing providers
- Can hold all of the data
- Manage Internet access
- Are they secure?

Should be in the contact
- A legal agreement to have the option to perform a security audit at any time
- Everyone agrees to the terms and conditions
- Ability to verify security before a breach occurs

Answer 133

Right to audit clauses

Question 134

Cloud computing technology appeared relatively quickly
- The legal world is scrambling to catch up

Forensics professionals must know their legal rights
- Data in a different jurisdiction may be bound by very different regulators

Data stored in the cloud may not be located in the same country
- Location of the data center may determine how data can be treated

Location of the data is critical
- Legal frameworks vary widely between countries
- Some countries don’t allow electronic searches outside of their borders

Answer 134

Regulatory/jurisdiction

Question 135

Notification laws
- If consumer data is breached, the consumer must be informed
- Vary widely across countries and localities
- If you are in the cloud, you’re a global entity

Notification requirements also vary
- Type of data breached
- Who gets notified
- How quickly

Answer 135

Data breach notification laws

Question 136

Hashing
- Cryptographic integrity verification
- A digital “fingerprint”

Checksums
- Protects against accidental changes during transmission
- A relatively simple integrity check
- Not designed to replace a hash

Provenance
- Documentation of authenticity
- A chain of custody for data handling
- Blockchain technology

Answer 136

Integrity

Question 137

Handling evidence
- Isolate and protect the data
- Analyze the data later without any alterations

Manage the collection process
- Work from copies
- Manage the data collection from mobile devices

Live collection has become an important skill
- Data may be encrypted or difficult to collect after powering down

Follow best practices to ensure admissibility of data in court
- What happens now affects the future

Answer 137

Preservation

Question 138

Collect, prepare, review, interpret, and produce electronic documents

Gathers data required by the legal process
- Does not generally involve analysis
- There’s no consideration of intent

Works together with digital forensics
- The e-discovery process obtains a storage device
- Data on the drive is smaller than expected
- Forensics experts determine that data was deleted and attempt to recover the data

Answer 138

Electronic discovery (E-discovery)

Question 139

Extract missing data without affecting the integrity of the data
- Requires training and expertise

The recovery process can vary
- Deleted file
- Hidden data
- Hardware or software corruption
- Storage device is physically damaged

Answer 139

Data recovery

Question 140

Proof of data integrity and the origin of the data
- The data is unchanged and really did come from the sender
- Hashing the data

Authentication that is genuine with high confidence
- The only person who could have sent the data is the sender

Message Authentication Code (MAC)
- The two parties can verify non-repudiation

Digital Certificate
- The non-repudiation can be publicly verified

Answer 140

Non-repudiation

Question 141

A focus on key threat activity for a domain

Business sectors, geographical regions, countries

Gather information from internal threat reports, third-party data sources, and other data inputs

Determine the threat landscape based on the trends

Answer 141

Strategic intelligence

Question 142

Prevent hostile intelligence operations

Discover and disrupt foreign intelligence threats

Gather threat information on foreign intelligence operations

Answer 142

Strategic counterintelligence