Section 1.1: Incident Response & Threat Hunting Flashcards

1
Q

Define “breakout” time. In 2019, CrowdStrike reported that the average “breakout” time for attackers was…

A

Breakout time is the time it takes an intruder to begin moving laterally once they have an initial foothold in the network. The average breakout time is 9 hours.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are Nation-State Actors?

A

Threat actors that are from a different nation such as China or Russia. They can also be known as APT’s or Advanced Persistent Threat actors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Overview the six-step process in Incident Response

A

Preparation, Identification, Containment & Intelligence Development, Eradication & Remediation, Recovery, and Follow-up.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How can an IR analyst prepare?

A

Establishing a response capability so that organizations can respond to an incident but also prevent incidents by securing systems, networks, and applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How is IR identification determined?

A

By a suspicious event: this can be an alert from a security appliance, help-desk call, or discovery through threat hunting. Severity of the event is determined here. This phase helps to better understand the findings and begin scoping network for additional compromise.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the goal of Containment and Intelligence Development?

A

To rapidly understand the adversary and begin crafting a containment strategy. Analysts must identify the initial vulnerability/exploit, how persistence and lateral movement is maintained, and how C2 is accomplished. Changes to the environment is needed to increase host and network visibility.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What steps can be taken to accomplish the Eradication and Remediation phase?

A

Full scope of the intrusion must be determined. Then the following example changes can be done: Block malicious IP addresses, blackhole malicious domain names, rebuild compromised systems, coordinate with cloud and service providers, enterprise-wide password changes, and make sure implementation is completed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What goes on in the Recovery phase?

A

Changes are made to improve enterprise defense and prevent reinfection. Goals can be near-, mid-, or long term changes. Recovery changes can be: Improved enterprise authentication model, improved network visibility, establish comprehensive patch management program, enforce change management program, centralize logging (SIM/SIEM), enhanced password portal, establish security awareness program, and network redesign.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What happens in the follow-up phase?

A

Double-checks incident is mitigated, adversary is truly removed, and countermeasures are implemented correctly. This phase is a combination of monitoring, network sweeps, searching new breaches, and auditing the network through penetration testing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How does “whack-a-mole” happen in an organization? What are the consequences of these actions?

A

It happens when an organization doesn’t gather enough intelligence to scope the initial foothold of the intrusion and eradicate early. Consequences can include the adversary affecting new systems, initiate a destructive process, or begin exfiltration if they have the upper hand.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What does an analyst gather by constructing intelligence development?

A

Tools, techniques, and procedures by the attackers, understanding their intentions, gather the malware used, develop IOCs, and identify the campaign. With enough intelligence, analyst can predict their next move based on adversary tools used and patterns. The development of IOCs is a force multiplier across the enterprise.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How does containment play its part in an enterprise attack?

A

It acts as an immediate defense to restrict, limit, and degrade adversary capabilities. With enough intelligence, responders can place defenses to deter them while they gather more data to fully scope the breach. Some containment methods are: data decoys, bit mangling, traffic shaping, kill switches, and adversary network segmentation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Describe the looping phase

A

It’s when responders gather enough intelligence to broaden the scope in the identification phase in order to gather more intelligence. It loops until the incident is fully scoped.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is a remediation event?

A

It involves an IR team with additional outside groups to coordinate massive amounts of network changes in a short time. The goal is to deny access to the environment, eliminate adversary ability to react, remove their presence, and degrade their ability to return.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are some critical remediation controls?

A

Disconnect environment from the internet, implement strict segmentation not allowing specific subnets to communicate, blocking IP & domain names for known C2 channels, remove infected systems or ones with signs of compromise, and restrict access to compromised accounts and domain accounts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Define CIS Controls

A

A recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s dangerous attacks.

17
Q

Explain the low-levels of the IR hierarchy needs

A

Inventory- Can I name assets I defend?
Telemetry- Do assets have visibility?
Detection- Can I detect unauthorized activity?

18
Q

Explain the mid-levels of the IR hierarchy needs

A

Triage- Can I accurately classify detection results?
Threats- Who are the actors? What can they do?
Behaviors- Can I detect their activity ?

19
Q

Explain the high-levels of the IR hierarchy needs

A

Hunt- Can I detect embedded actor?
Track- Can I observe actor in real time?
Act- Can I deploy countermeasures to evict?

20
Q

Why is it important for security teams to feed intelligence to hunt teams?

A

So they have reason to search for adversary behaviors and TTPs so it can be fed back to the security team. Places a security team can send a hunt team for detection can be: host, network, search malware artifacts, registry keys, LOTL, WMI, Powershell, etc.

21
Q

SIEM stands for…

A

Security Information & Event Management