Section 1 - Advanced Incident Response and Threat Hunting Flashcards
What is dwell time?
How long they have been in your network prior to being detected
Delta
The time between penetration and time of detection
What is the top way that a intruder is detected?
Abnormal high levels of traffic
What is organised crime motivated by?
Money
What are nation state actors (ATP) motivated by?
Information and IP theft
What does ISAC stand for?
Intelligence Sharing and Analysis Center
What are the six steps to incident response?
1) Preparation
2) Identification and Scoping
3) Containment/Intelligence Development
4) Eradication/Remediation
5) Recovery
6) Follow up/Lessons learned
What does SOC stand for?
Security Operations Center
What is the Pucker Factor?
Describing the level of stress in response to a danger
What is the difference between a Hunting Organization and a Reactive Organization?
Hunting actively looks for incidents, Reactive starts when its notified
What does IOC stand for?
Indicators of Compromise
What does IR stand for?
Incident Response
What does TTP stand for?
Tools, Tactics and Procedures
What is containment for “Active Defense”?
Data decoy, bit mangling, Adversary network segmentation, Full-scale host/Network monitoring, Kill switch
When do you use forensics vs threat hunting?
Forensics is when you don’t know anything about the enemy, Threat Hunting is when you have a signature.
What three skills do you need on your IR team?
Host Forensics/IR
Network Forensics
RE Malware
What are the four remediation event goals?
Deny access,
Restrict reaction,
Remove presence,
Degrade survivability
What are the three remediation event plan steps?
Posturing
Execute
Implement Controls
What are the eight phases of a successful intrusion operation?
Recon Delivery Establishing foothold Maintaining presence Privilege escalation Lateral movement Data collection Data ex-filtration
What are the three IOC types?
Atomic
Behavioral
Computed
What is the Atomic IOC?
IP Address, string etc
What is the Behavioral IOC?
Profile and Habits
What is Computed IOC?
Hashes, IDS sigs etc
Name four IOC sharing languages
Cybox
OpenIOC
STIX
Yara-project
What are the three possible detection situations?
Malware active
Malware exists but not active
No malware but system compromised
What are four common malware names?
Svchost.exe
iexplore. exe
iprinp. dll
winzf32. dll
Name three common service replacements
Wireless Zero Configuration Service
RIP listener service
Background Intelligent Transfer Service
What are the seven most common malware locations?
Windows\system32 Temp folders Windows System Volume Information Recycle Bin Program Files Temporary Internet Files
What does CRL stand for?
Certificate Revocation List
Name five Malware Persistence Mechanisms
Autostart locations Service creation/replacement Service failure recovery Scheduled Tasks DLL Highjacking WMI event collections
What is the start at boot run key?
0x02
Besides unquoted service paths, how else can a service execute malicious code?
Modify failure recovery to start a program
What is the legacy program for scheduled tasks in WinXP and Win 7?
at.exe
What is the exe name for scheduling tasks?
schtasks.exe
