Sec+ Chapter 14: Incident Response

Question 1

IR plan

Answer 1

Incident response plan

Before any type of response or recover to attack, the whole process needs to be fully documented

Help us understand and ID when an attack occurs

If an attack occurs we can contain it and limit the scope, exfiltration, or access to sensitive data

Question 2

Incident

Answer 2

Violation of organization policies, procedures, or security practices

Question 3

Event

Answer 3

Observable occurrences

There will always be many events, but not all will translate into incidents

Question 4

6 steps for IR

Answer 4

1) Preparation

2) Identification

3) Containment

4) Eradication

5) Recovery

6) Lessons learned

Question 5

Key members for an IR team

Answer 5

The team within your org that responds to incidents, provides analysis of what’s happening and how we respond to it, and reports on how to strengthen the org for the next attack

You want people from:

1) Leadership (managers, VPs, etc)

2) InfoSec staff

3) Tech experts (sysadmins, devs, etc)

4) Comms and PR

5) Legal and HR

6) LEO (if applicable)

Question 6

Tabletop exercises

Answer 6

Team gets a scenario and talks through how they would respond to incidents, what issues might arise, and how to accomplish their respective tasks

Question 7

Walk through exercises

Answer 7

Walk through each step of the incident response to test all processes and procedures with all responders

Examine your toolkit, make sure software and hardware is ready to go and up to date

If you run into a problem, you can resolve it now vs waiting for an event to occur

Question 8

Simulation exercises

Answer 8

An exercise that simulates an actual incident to rest response processes

EX: Phishing email attacks to see who takes the bait

Question 9

COOP

Answer 9

Continuity of operations planning

A plan that’s put together long before a disaster strikes so we know how to conduct operations if we don’t have access to our normal tech and systems

Question 10

MITRE ATT&CK framework

Answer 10

Adversarial tactics, techniques, and common knowledge

The most popular, comprehensive, and freely available database

Maps complete threat lifecycle from initial access through execution, persistence, privilege escalation, and exfiltration

Question 11

Diamond model of intrusion analysis

Answer 11

Heavy focus on understanding the attacker and their motivations

Uses scientific principles that are applied to intrusion analysis to understand the relationships between the different pieces of an attack

Measurement, testability, and repeatability

Question 12

4 points of the Diamond

Answer 12

1) Adversary: The attacker

2) Capability: What the attacker uses

3) Victim: The target, no matter what it is

4) Infrastructure: What was used to gain access

There’s a relationship between each of these points on the diamond

EX:

Adversary would use the infrastructure and develop a capability

The victim is exploited by capability and is connecting to the infrastructure

Question 13

Meta features in Diamond

Answer 13

Used to order events in a sequence, known as an activity thread, as well as for grouping events based on their features

The meta features are:

1) Start and end timestamps

2) Phase

3) Result

4) Direction

5) Methodology

6) Resources

Question 14

Confidence value in Diamond

Answer 14

A value subjectively determined by analysts based on their own work

Question 15

Cyber Kill Chain

Answer 15

A seven step process developed by Lockheed Martin:

1) Recon: Gather intel

2) Weaponization: Build a deliverable payload

3) Delivery: Send the payload

4) Exploitation: Execute code on a victim’s device

5) Installation: Malware is installed on the OS

6) C2: Create C2 channel for remote access

7) Actions on objectives: Attacker remotely carries out objectives

Question 16

System logs

Answer 16

Log files for a system with information like the OS itself, file system, and apps running on the OS

Question 17

Application logs

Answer 17

Log files that give details on how an app is performing

Can contain things like installer info, app errors, license checks, etc

Question 18

Security logs

Answer 18

Detailed security related information like authentication attempts, blocked and allowed traffic flows, exploit attempts, blocked URL categories, DNS sinkhole traffic, etc

Most of these are created on devices we have connected to our network like IPS, firewall, WAF, or proxy

/var/log/auth.log

/var/log/secure

Question 19

Vulnerability scan output

Answer 19

Provides clues about what attackers may have been targeted, changes in services, or patched issues (attackers closing doors behind them)

Question 20

Network and security device logs

Answer 20

Logs that include information for devices like switches, firewalls, routers, VPN concentrators, etc

They can contain config changes, traffic info, network flows, and data captured by packet analyzers

Question 21

Web logs

Answer 21

If you’re running a webserver, you’ll have these logs

Tracks reqs to web server, what was accessed, when accessed, what IP send req

Can help with identifying SQL injection or other web app specific attacks, if someone tries to access nonexistent files, or files associated with known vulnerabilities

Question 22

DNS logs

Answer 22

Details about DNS queries like attackers gathering info, what systems might be compromised based on DNS reqs, or if internal users are misusing resources

EX: See if someone is trying to resolve to a known malicious site or a known C2 domain

You can use this log to find devices potentially infected with malware and clean or remove from network

Question 23

Authentication logs

Answer 23

When an account was logged in to, login system, location, source IP, privilege use, password attempts, success or failure, etc

EX: ID brute force attacks

Question 24

Dump files

Answer 24

Show state of memory and system at time of a crash, or can be created manually

EX: Windows blue screen of death creates a memory dump

Could show if malware or attack tools were used to crash a system

Question 25

VOIP, call manager, SIP logs

Answer 25

Session initiation protocol: sets up, manages, and tears down the phone call

Info about inbound and outbound calls on a VOIP system

Question 26

Metadata

Answer 26

Data that describes other types of data and contained within files we use on our devices

Four types of metadata and EX:

1) Email: header details, sending servers, destination address

2) Mobile: type of phone, GPS location

3) Web: OS, browser type, IP

4) File: name, address, phone number, title

Question 27

Playbook

Answer 27

Conditional, step by step guides to help IR teams take proper action if an event occurs

EX: Investigate data breach or recover from ransomware

Question 28

Runbook

Answer 28

Operational procedure guides with linear checklist steps to take to perform actions

EX: How to reset a password, create website cert, backup app data, or setup new hire machines

Question 29

SOAR

Answer 29

Security orchestration, automation, and response

Platforms that allow you to quickly assess the attack surface of an org, the state of systems, and where issues may exist

Orchestrating: Modify firewall rules, change permissions, email filters, and do it dynamically as info is evaluated by systems

Automation: Have our systems handle security tasks instead of individual people

Response: Make changes immediately, at any time, and react to anything happening in our network

Question 30

App whitelist

Answer 30

A list of all apps and files allowed to be on a system

Prevents anything not on the list from being installed or run

Question 31

App blacklist

Answer 31

A list of all apps and files not allowed on system

Will prevent them from being installed or copied to the sytem

Question 32

Quarantine solutions

Answer 32

Tools that place files into specific safe zones rather than deleting them, which can help with investigation

Question 33

Configuration changes

Answer 33

One of the most frequently used tools in containment and remediation efforts. Know these changes:

1) Firewall rules

2) MDM (Mobile device management)

3) DLP

4) Content and URL filtering

5) Updating or revoking certs

Question 34

Isolation

Answer 34

Move a device into an area where it has limited or no access to other resources

EX:
1) Isolating malware that wants to connect to a C2

2) Someone tries to connect to the network with the wrong security posture, like outdated antivirus signatures

3) Limit app processes that are performing malicious activities on a machine

Question 35

Containment

Answer 35

Prevent the spread malware by leaving the system in place but preventing the malware from going anywhere else

Commonly seen with app sandbox, where the apps have limited interaction with host OS or other apps

EX: App infected with ransomware is placed into a sandbox and has no method of infection

Also used to reactively contain the spread of multi device events, like ransomware infections

EX:
1) Ransomware detected on any machine

2) Change security posture to disable administrative shares, disable remote management, and disable local account or admin access, change passwords for admin accounts

Question 36

Segmentation

Answer 36

Where you place systems with different functions or data security levels in different segments of a network

Usually done before an incident

Question 37

NIST SP800-61

Answer 37

NIST special publication 800-61 revision 2

The computer security incident handling guide that walks you though:
1) Preparation
2) Detection and analysis
3) Containment, eradication, and recovery
4) Post-incident activity

Question 38

Stakeholder management

Answer 38

Apps, data, and other technical resources that IT manages, these are the stakeholders

When something doesn’t work right, they suffer

Always maintain good relationships with them and involve them in the planning process for these security events

If there’s an event, bring them in to the resolution process

Question 39

journalctl

Answer 39

Linux utility that allows you to query the binary information in a system journal and provide human readable output based on what’s inside

Search and filter or view as plain text

Question 40

Bandwidth monitors

Answer 40

You can get the information on bandwidth and percentage of network use over time with SNMP, NetFlow, sFlow, or IPFIX

These will identify fundamental issues, like if you’ve exceeded your bandwidth to run an app

Question 41

NetFlow

Answer 41

Gathers traffic flow statistics from switches, routers, and other devices on your network

The information is consolidated into a central NetFlow server so you can view data across all devices in one console

Question 42

IPFIX

Answer 42

IP flow information export

Newer version of NetFlow that allows us greater flexibility and customization over what data we collect and what information is reported to the central server

Question 43

sFlow

Answer 43

Sampled flow

Looks at a portion of the network traffic to gather metrics on, uses lower resources than NetFlow or IPFIX

Smaller sample size, but you still get tons of great information for insights and analysis