Sec+ Chapter 14: Incident Response Flashcards
(43 cards)
IR plan
Incident response plan
Before any type of response or recover to attack, the whole process needs to be fully documented
Help us understand and ID when an attack occurs
If an attack occurs we can contain it and limit the scope, exfiltration, or access to sensitive data
Incident
Violation of organization policies, procedures, or security practices
Event
Observable occurrences
There will always be many events, but not all will translate into incidents
6 steps for IR
1) Preparation
2) Identification
3) Containment
4) Eradication
5) Recovery
6) Lessons learned
Key members for an IR team
The team within your org that responds to incidents, provides analysis of what’s happening and how we respond to it, and reports on how to strengthen the org for the next attack
You want people from:
1) Leadership (managers, VPs, etc)
2) InfoSec staff
3) Tech experts (sysadmins, devs, etc)
4) Comms and PR
5) Legal and HR
6) LEO (if applicable)
Tabletop exercises
Team gets a scenario and talks through how they would respond to incidents, what issues might arise, and how to accomplish their respective tasks
Walk through exercises
Walk through each step of the incident response to test all processes and procedures with all responders
Examine your toolkit, make sure software and hardware is ready to go and up to date
If you run into a problem, you can resolve it now vs waiting for an event to occur
Simulation exercises
An exercise that simulates an actual incident to rest response processes
EX: Phishing email attacks to see who takes the bait
COOP
Continuity of operations planning
A plan that’s put together long before a disaster strikes so we know how to conduct operations if we don’t have access to our normal tech and systems
MITRE ATT&CK framework
Adversarial tactics, techniques, and common knowledge
The most popular, comprehensive, and freely available database
Maps complete threat lifecycle from initial access through execution, persistence, privilege escalation, and exfiltration
Diamond model of intrusion analysis
Heavy focus on understanding the attacker and their motivations
Uses scientific principles that are applied to intrusion analysis to understand the relationships between the different pieces of an attack
Measurement, testability, and repeatability
4 points of the Diamond
1) Adversary: The attacker
2) Capability: What the attacker uses
3) Victim: The target, no matter what it is
4) Infrastructure: What was used to gain access
There’s a relationship between each of these points on the diamond
EX:
Adversary would use the infrastructure and develop a capability
The victim is exploited by capability and is connecting to the infrastructure
Meta features in Diamond
Used to order events in a sequence, known as an activity thread, as well as for grouping events based on their features
The meta features are:
1) Start and end timestamps
2) Phase
3) Result
4) Direction
5) Methodology
6) Resources
Confidence value in Diamond
A value subjectively determined by analysts based on their own work
Cyber Kill Chain
A seven step process developed by Lockheed Martin:
1) Recon: Gather intel
2) Weaponization: Build a deliverable payload
3) Delivery: Send the payload
4) Exploitation: Execute code on a victim’s device
5) Installation: Malware is installed on the OS
6) C2: Create C2 channel for remote access
7) Actions on objectives: Attacker remotely carries out objectives
System logs
Log files for a system with information like the OS itself, file system, and apps running on the OS
Application logs
Log files that give details on how an app is performing
Can contain things like installer info, app errors, license checks, etc
Security logs
Detailed security related information like authentication attempts, blocked and allowed traffic flows, exploit attempts, blocked URL categories, DNS sinkhole traffic, etc
Most of these are created on devices we have connected to our network like IPS, firewall, WAF, or proxy
/var/log/auth.log
/var/log/secure
Vulnerability scan output
Provides clues about what attackers may have been targeted, changes in services, or patched issues (attackers closing doors behind them)
Network and security device logs
Logs that include information for devices like switches, firewalls, routers, VPN concentrators, etc
They can contain config changes, traffic info, network flows, and data captured by packet analyzers
Web logs
If you’re running a webserver, you’ll have these logs
Tracks reqs to web server, what was accessed, when accessed, what IP send req
Can help with identifying SQL injection or other web app specific attacks, if someone tries to access nonexistent files, or files associated with known vulnerabilities
DNS logs
Details about DNS queries like attackers gathering info, what systems might be compromised based on DNS reqs, or if internal users are misusing resources
EX: See if someone is trying to resolve to a known malicious site or a known C2 domain
You can use this log to find devices potentially infected with malware and clean or remove from network
Authentication logs
When an account was logged in to, login system, location, source IP, privilege use, password attempts, success or failure, etc
EX: ID brute force attacks
Dump files
Show state of memory and system at time of a crash, or can be created manually
EX: Windows blue screen of death creates a memory dump
Could show if malware or attack tools were used to crash a system
