Sec+ Chapter 14: Incident Response Flashcards
IR plan
Incident response plan
Before any type of response or recover to attack, the whole process needs to be fully documented
Help us understand and ID when an attack occurs
If an attack occurs we can contain it and limit the scope, exfiltration, or access to sensitive data
Incident
Violation of organization policies, procedures, or security practices
Event
Observable occurrences
There will always be many events, but not all will translate into incidents
6 steps for IR
1) Preparation
2) Identification
3) Containment
4) Eradication
5) Recovery
6) Lessons learned
Key members for an IR team
The team within your org that responds to incidents, provides analysis of what’s happening and how we respond to it, and reports on how to strengthen the org for the next attack
You want people from:
1) Leadership (managers, VPs, etc)
2) InfoSec staff
3) Tech experts (sysadmins, devs, etc)
4) Comms and PR
5) Legal and HR
6) LEO (if applicable)
Tabletop exercises
Team gets a scenario and talks through how they would respond to incidents, what issues might arise, and how to accomplish their respective tasks
Walk through exercises
Walk through each step of the incident response to test all processes and procedures with all responders
Examine your toolkit, make sure software and hardware is ready to go and up to date
If you run into a problem, you can resolve it now vs waiting for an event to occur
Simulation exercises
An exercise that simulates an actual incident to rest response processes
EX: Phishing email attacks to see who takes the bait
COOP
Continuity of operations planning
A plan that’s put together long before a disaster strikes so we know how to conduct operations if we don’t have access to our normal tech and systems
MITRE ATT&CK framework
Adversarial tactics, techniques, and common knowledge
The most popular, comprehensive, and freely available database
Maps complete threat lifecycle from initial access through execution, persistence, privilege escalation, and exfiltration
Diamond model of intrusion analysis
Heavy focus on understanding the attacker and their motivations
Uses scientific principles that are applied to intrusion analysis to understand the relationships between the different pieces of an attack
Measurement, testability, and repeatability
4 points of the Diamond
1) Adversary: The attacker
2) Capability: What the attacker uses
3) Victim: The target, no matter what it is
4) Infrastructure: What was used to gain access
There’s a relationship between each of these points on the diamond
EX:
Adversary would use the infrastructure and develop a capability
The victim is exploited by capability and is connecting to the infrastructure
Meta features in Diamond
Used to order events in a sequence, known as an activity thread, as well as for grouping events based on their features
The meta features are:
1) Start and end timestamps
2) Phase
3) Result
4) Direction
5) Methodology
6) Resources
Confidence value in Diamond
A value subjectively determined by analysts based on their own work
Cyber Kill Chain
A seven step process developed by Lockheed Martin:
1) Recon: Gather intel
2) Weaponization: Build a deliverable payload
3) Delivery: Send the payload
4) Exploitation: Execute code on a victim’s device
5) Installation: Malware is installed on the OS
6) C2: Create C2 channel for remote access
7) Actions on objectives: Attacker remotely carries out objectives
System logs
Log files for a system with information like the OS itself, file system, and apps running on the OS
Application logs
Log files that give details on how an app is performing
Can contain things like installer info, app errors, license checks, etc
Security logs
Detailed security related information like authentication attempts, blocked and allowed traffic flows, exploit attempts, blocked URL categories, DNS sinkhole traffic, etc
Most of these are created on devices we have connected to our network like IPS, firewall, WAF, or proxy
/var/log/auth.log
/var/log/secure
Vulnerability scan output
Provides clues about what attackers may have been targeted, changes in services, or patched issues (attackers closing doors behind them)
Network and security device logs
Logs that include information for devices like switches, firewalls, routers, VPN concentrators, etc
They can contain config changes, traffic info, network flows, and data captured by packet analyzers
Web logs
If you’re running a webserver, you’ll have these logs
Tracks reqs to web server, what was accessed, when accessed, what IP send req
Can help with identifying SQL injection or other web app specific attacks, if someone tries to access nonexistent files, or files associated with known vulnerabilities
DNS logs
Details about DNS queries like attackers gathering info, what systems might be compromised based on DNS reqs, or if internal users are misusing resources
EX: See if someone is trying to resolve to a known malicious site or a known C2 domain
You can use this log to find devices potentially infected with malware and clean or remove from network
Authentication logs
When an account was logged in to, login system, location, source IP, privilege use, password attempts, success or failure, etc
EX: ID brute force attacks
Dump files
Show state of memory and system at time of a crash, or can be created manually
EX: Windows blue screen of death creates a memory dump
Could show if malware or attack tools were used to crash a system
VOIP, call manager, SIP logs
Session initiation protocol: sets up, manages, and tears down the phone call
Info about inbound and outbound calls on a VOIP system
Metadata
Data that describes other types of data and contained within files we use on our devices
Four types of metadata and EX:
1) Email: header details, sending servers, destination address
2) Mobile: type of phone, GPS location
3) Web: OS, browser type, IP
4) File: name, address, phone number, title
Playbook
Conditional, step by step guides to help IR teams take proper action if an event occurs
EX: Investigate data breach or recover from ransomware
Runbook
Operational procedure guides with linear checklist steps to take to perform actions
EX: How to reset a password, create website cert, backup app data, or setup new hire machines
SOAR
Security orchestration, automation, and response
Platforms that allow you to quickly assess the attack surface of an org, the state of systems, and where issues may exist
Orchestrating: Modify firewall rules, change permissions, email filters, and do it dynamically as info is evaluated by systems
Automation: Have our systems handle security tasks instead of individual people
Response: Make changes immediately, at any time, and react to anything happening in our network
App whitelist
A list of all apps and files allowed to be on a system
Prevents anything not on the list from being installed or run
App blacklist
A list of all apps and files not allowed on system
Will prevent them from being installed or copied to the sytem
Quarantine solutions
Tools that place files into specific safe zones rather than deleting them, which can help with investigation
Configuration changes
One of the most frequently used tools in containment and remediation efforts. Know these changes:
1) Firewall rules
2) MDM (Mobile device management)
3) DLP
4) Content and URL filtering
5) Updating or revoking certs
Isolation
Move a device into an area where it has limited or no access to other resources
EX:
1) Isolating malware that wants to connect to a C2
2) Someone tries to connect to the network with the wrong security posture, like outdated antivirus signatures
3) Limit app processes that are performing malicious activities on a machine
Containment
Prevent the spread malware by leaving the system in place but preventing the malware from going anywhere else
Commonly seen with app sandbox, where the apps have limited interaction with host OS or other apps
EX: App infected with ransomware is placed into a sandbox and has no method of infection
Also used to reactively contain the spread of multi device events, like ransomware infections
EX:
1) Ransomware detected on any machine
2) Change security posture to disable administrative shares, disable remote management, and disable local account or admin access, change passwords for admin accounts
Segmentation
Where you place systems with different functions or data security levels in different segments of a network
Usually done before an incident
NIST SP800-61
NIST special publication 800-61 revision 2
The computer security incident handling guide that walks you though:
1) Preparation
2) Detection and analysis
3) Containment, eradication, and recovery
4) Post-incident activity
Stakeholder management
Apps, data, and other technical resources that IT manages, these are the stakeholders
When something doesn’t work right, they suffer
Always maintain good relationships with them and involve them in the planning process for these security events
If there’s an event, bring them in to the resolution process
journalctl
Linux utility that allows you to query the binary information in a system journal and provide human readable output based on what’s inside
Search and filter or view as plain text
Bandwidth monitors
You can get the information on bandwidth and percentage of network use over time with SNMP, NetFlow, sFlow, or IPFIX
These will identify fundamental issues, like if you’ve exceeded your bandwidth to run an app
NetFlow
Gathers traffic flow statistics from switches, routers, and other devices on your network
The information is consolidated into a central NetFlow server so you can view data across all devices in one console
IPFIX
IP flow information export
Newer version of NetFlow that allows us greater flexibility and customization over what data we collect and what information is reported to the central server
sFlow
Sampled flow
Looks at a portion of the network traffic to gather metrics on, uses lower resources than NetFlow or IPFIX
Smaller sample size, but you still get tons of great information for insights and analysis
