Section 1.1: Incident Response & Threat Hunting Flashcards
Define “breakout” time. In 2019, CrowdStrike reported that the average “breakout” time for attackers was…
Breakout time is the time it takes an intruder to begin moving laterally once they have an initial foothold in the network. The average breakout time is 9 hours.
What are Nation-State Actors?
Threat actors that are from a different nation such as China or Russia. They can also be known as APT’s or Advanced Persistent Threat actors.
Overview the six-step process in Incident Response
Preparation, Identification, Containment & Intelligence Development, Eradication & Remediation, Recovery, and Follow-up.
How can an IR analyst prepare?
Establishing a response capability so that organizations can respond to an incident but also prevent incidents by securing systems, networks, and applications.
How is IR identification determined?
By a suspicious event: this can be an alert from a security appliance, help-desk call, or discovery through threat hunting. Severity of the event is determined here. This phase helps to better understand the findings and begin scoping network for additional compromise.
What is the goal of Containment and Intelligence Development?
To rapidly understand the adversary and begin crafting a containment strategy. Analysts must identify the initial vulnerability/exploit, how persistence and lateral movement is maintained, and how C2 is accomplished. Changes to the environment is needed to increase host and network visibility.
What steps can be taken to accomplish the Eradication and Remediation phase?
Full scope of the intrusion must be determined. Then the following example changes can be done: Block malicious IP addresses, blackhole malicious domain names, rebuild compromised systems, coordinate with cloud and service providers, enterprise-wide password changes, and make sure implementation is completed.
What goes on in the Recovery phase?
Changes are made to improve enterprise defense and prevent reinfection. Goals can be near-, mid-, or long term changes. Recovery changes can be: Improved enterprise authentication model, improved network visibility, establish comprehensive patch management program, enforce change management program, centralize logging (SIM/SIEM), enhanced password portal, establish security awareness program, and network redesign.
What happens in the follow-up phase?
Double-checks incident is mitigated, adversary is truly removed, and countermeasures are implemented correctly. This phase is a combination of monitoring, network sweeps, searching new breaches, and auditing the network through penetration testing.
How does “whack-a-mole” happen in an organization? What are the consequences of these actions?
It happens when an organization doesn’t gather enough intelligence to scope the initial foothold of the intrusion and eradicate early. Consequences can include the adversary affecting new systems, initiate a destructive process, or begin exfiltration if they have the upper hand.
What does an analyst gather by constructing intelligence development?
Tools, techniques, and procedures by the attackers, understanding their intentions, gather the malware used, develop IOCs, and identify the campaign. With enough intelligence, analyst can predict their next move based on adversary tools used and patterns. The development of IOCs is a force multiplier across the enterprise.
How does containment play its part in an enterprise attack?
It acts as an immediate defense to restrict, limit, and degrade adversary capabilities. With enough intelligence, responders can place defenses to deter them while they gather more data to fully scope the breach. Some containment methods are: data decoys, bit mangling, traffic shaping, kill switches, and adversary network segmentation.
Describe the looping phase
It’s when responders gather enough intelligence to broaden the scope in the identification phase in order to gather more intelligence. It loops until the incident is fully scoped.
What is a remediation event?
It involves an IR team with additional outside groups to coordinate massive amounts of network changes in a short time. The goal is to deny access to the environment, eliminate adversary ability to react, remove their presence, and degrade their ability to return.
What are some critical remediation controls?
Disconnect environment from the internet, implement strict segmentation not allowing specific subnets to communicate, blocking IP & domain names for known C2 channels, remove infected systems or ones with signs of compromise, and restrict access to compromised accounts and domain accounts.