Section 31 - Incident Response Procedures Flashcards
What is an incident response?
A set of procedures that an investigator follows when they’re examining a computer security incident.
What is the basic six procedure for an incident response?
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learned
What happens during the preparation phase of an incident response?
Step 1
During this phase your organization is going to ensure that it has a well-planned incident response procedure, a strong security posture, and a knowledgeable chief information security officer who’s able to limit the damage to data and the company reputation if an incident response occurs.
What happens during the “identification” phase of an incident response?
Step 2
This is the process of recognizing whether an event is actually going to be categorized as an incident or not.
What happens during the “containment” phase of an incident response?
Step 3
This is focused on isolating the incident or problem.
What happens during the “eradication” phase of an incident response?
Step 4
This is the phase where we’re going to remove the threat or attack.
What happens during the “recovery” phase of an incident response?
Step 5
This is focused on making sure we do data restoration, system repair, and re-enabling any servers or networks that we took offline during our incident response.
What happens during the “lessons learned” phase of an incident response?
Step 6
This is a process that we use to document the incident response process and we make any changes to the procedures and the processes that we used that we want to make sure we do better next time.
What is an incident response team?
The key people available to respond to any incident that meets the severity and priority thresholds that are set out by your incident response plan, because not everything that you run into is going to require you to activate the whole team.
What are the positions on an incident response team?
Incident Response Manager/Team Lead
Security Analyst
Threat Researcher
Cross Functional Support
What is the role of an incident response manager/team lead?
This person is going to oversee and prioritize actions during the detection, analysis and containment of an incident.
What is the role of a security analyst?
These people play detective in order to determine what happened up to this point.
Security analysts may be assigned into two categories. What are these?
Triage analyst - assigned to work on the network during the incident response. They filter out false positives by properly configuring IDS/IPS as well as performing ongoing monitoring and analysis.
Forensic analyst - Focused on the detective work and trying to piece together what has already occurred on the network. They focus on recovering key artifacts and evidence to build a timeline of events.
What is the role of a threat researcher?
They complement your analysts by providing threat intelligence and overall context during the incident response. They work to always remain up to date on the current threats and with previous incidents that have occurred.
What is the role of a cross functional support?
This includes people from management or the executive team, someone from human resources, technical experts an attorney or lawyer or even public relations.
*** Anyone who comes from outside the incident response team itself and across the entire organization
Your incident response team is often known as a…?
CSIRT
Computer Security Incident Response Team
They should be your single point of contact for security incidents
What is an out-of-band communication system?
Where your signals are being sent between two parties or two devices that are sent via a path or method that’s different from the primary communication between.
*** Often this is established as a backup method to communicate in case your primary means has been compromised.
What is an example of an out-of-band communication system?
WhatsApp
Signal
Off-the-Record
These apps have a messaging system with end-to-end encryption so no attacker can see the information being exchanged.
What is an escalation procedure?
This is the procedure you follow to determine at what point you should call in your incident response team.
What is a SIEM?
Security Information and Event Monitoring System
Through a multitude of different data sources, this provides us with real-time analysis of security alerts that are generated by applications and network hardware.
When talking about a SIEM, the first thing we have to think about is…?
Our sensor
This is the actual endpoint that’s being monitored. The sensor can feed data up into the SIEM.
Another thing we have to think about with our SIEMs is their…?
Sensitivity
This is focused on how much or how little you are going to be logging.
By using a SIEM and it’s graphical ability to look across logs, we can start seeing ___ in our network.
Trends
Inside the SIEM, we can set it up so there’s certain ___ that happen based on certain parameters.
alerts
This is one of the big things within a SIEM. We’re getting data from a lot of different sources and all of these things need to be ____.
correlated
What is a log file?
Any file that records either events that occur in an operating system or other software that’s running.
There’s lot of different types of log files out there. What are they?
Network Log Files - tracks all things going through routers and switches
System Log Files - tracks all things happening on an individual host or server
Application Log Files - tells us exactly what each application is doing on a given system
Security Log Files - proxy server logs (websites that have been accessed by your users)
DNS Log Files - Requests made of that DNS server
Authentication Log Files - tells us any kind of authentication across our files, systems and servers.
Dump Files - logs when things happen to crash
What is syslog, ryslog and syslog-ng?
Three variations that do the same thing.
They all permit logging of data from different types of systems into a central repository.
One of the things our SIEM relies heavily on is using…?
syslog, rsyslog or syslog-ng
It uses the data from these logs to grab information from various endpoints and dump into itself.
What is journactl?
This is a Linux command-line utility that’s used for querying and displaying logs from the journald, which is the journal daemon, which is basically the logging service for systemd on a a Linux machine.
*** Basically this how you are able to look at the logs on a Linux machine.
What is nxlog?
A multi-platform log management tool that helps us to easily identify security risks, policy breaches, or analyze operational problems in server logs, operational system logs, and application logs.
*** remember that this is a multi-platform/cross-platform tool and it’s open source.
Nxlog and syslog are very similiar but how do they differ?
syslog, rsyslog, syslog-ng only work on Linux and Unix systems but nxlog is cross-platform capable.
What is netflow?
It’s a network protocol system created by Cisco that collects active IP network traffic as it’s flowing into or out of an interface.
*** So the things that are going into or out of your network through the firewall or through a router, netflow can capture that information.
What is the difference between a full packet capture and netflow?
Netflow is more of a summarization of data.
Full packet capture will capture everything. Every single one and zero that’s going in and out of our network.
What is sflow?
Sampled Flow
An open source version of netflow.
Where netflow is made by Cisco and is proprietary slfow is more of a generic version.
What is IPfix?
Internet Protocol Information Export
A universal standard for the export of Internet Protocol Flow Information from your routers, your probes, and other devices. That’s going to be used by mediation systems, accounting and billing systems, and network management systems to facilitate services such as measurement, accounting and billing by defining how IP flow information is to be formatted and transferred from an exporter to a collector.
What is metadata?
Metadata is data that describes other data. Basically, by providing an underlying definition or description by summarizing basic information about the data that makes finding and working with particular instances of data much easier.
*** Essentially, this is data about the data.
The first thing you need to know about forensics is everything we do we use…?
written procedures
These are going to ensure that personnel handle forensics properly, effectively, and in compliance with required regulations.
Basic forensic procedures is a four step process. What are the steps?
- Identification
- Collection
- Analysis
- Reporting
What is the identification step of the basic forensic procedures?
This is going to ensure the scene is safe, we have made sure we secure the scene to prevent any evidence contamination, and we identify the scope of the evidence to be collected.
What is the collection step of the basic forensic procedures?
We have to ensure that we have authorization to collect the evidence. Then, we document and prove the integrity of the evidence as it’s collected.
What is the analysis step of the basic forensic procedures?
Create a copy of evidence for analysis and use repeatable methods and tools during analysis
What is the reporting step of the basic forensic procedures?
Create a report of the methods and tools used in the investigation and present detailed findings and conclusions based on the analysis
What is the concept of a legal hold?
A process that designed to preserve all relevant information when litigation is reasonably expected to occur.
*** litigation = lawsuit
Forensic analysts have a code of ethics. What are they?
- Analysis must be performed without bias
- Analyst methods have to be repeatable by third parties
- Evidence must not be changed or manipulated
What is the best way to present information as part of your analysis and report?
Using a timeline
This will show the sequence of file system events within a source image in a graphical format
What do you use digital forensic collection techniques for?
Used to make forensic images of the data on those servers and use that evidence for later analysis this then allows your incident response team to help get your server back online as quickly as possible and resume operations while also maintaining evidence
What is data acquisition?
The method and tools used to create a forensically sound copy of the data from a source device, such as system memory, or a hard disk.
What is tracert/traceroute?
A networking tool
A network diagnostic command for displaying possible routes and measuring transit delays of packets as they go across an IP network
*** You can use this to see all the different routers you went through in order to get a specific web server
What is nslookup and dig?
A networking tool
These are utilities that are used to determine the IP address associated with the domain name, obtaining the mail server settings for a domain and other DNS information
what is the difference between nslookup and dig?
nslookup = is the name server lookup
dig = allows you to dig through those DNS records and get information. This tool is also not available for Windows machines.
What is ipconfig and ifconfig?
These are utilites that display all the network configurations of the currently connected network devices and they can be used to modify DHCP and DNS settings
What is the difference between ipconfig and ifconfig?
ipconfig = Windows
ifconfig = Linux/Unix
What is nmap?
An open-source network scanner that is used to discover hosts and services on a computer network by sending packets and analyzing their responses
*** For the test, you should know how to look at the output from nmap and be able to read itn and then pick out open vs closed ports
What is ping/pathping?
Utility used to determine if a host is reachable on an internet protocol network
What is hping?
An open source packet generator and also an analyzer
It is used for the TCP/IP protocol and for security auditing and testing of firewalls and networks
What is netstat?
A utility that displays the network connections for the transmission control protocol (TCP) as well as routing tables and a number of other interface and network protocol statistics
*** essentially, this will let you see all of the different things that your computer is connected to right now
what is netcat?
A utility for reading from and writing to network connections using their UDP or TCP which allows it to be used as a dependable backend that can be used directly or easily drive by other programs and scripts
*** You can use this to connect a web server, you’ll get a text response back and you can read the code that the web server sent to you. That way you can under what OS it is and what type of software is being used on it. You can use it to have a shell connection and remotely control a machine.
What is ARP?
A utility for viewing and modifying the local address resolution protocol or ARP cache on a given host or server
*** ARP is a layer 2 protocol. Instead of using IP addresses when on the local area network, you use ARP messages and we transfer information based on their MAC address, not their IP address. ARP cache is actually that mapping. If you think about how DNS is used for IP addresses to domain names, ARP is like that, but going from MAC addresses to IP addresses. You can use that ARP tool to see what IP and MAC addresses are bound together.
What is route?
A utility to be able to view and manipulate the IP routing table on a given host or server
What is a default gateway?
Your router on your network
What is curl?
A command line tool that’s used to transfer data to or from a server using any of a number of different protocols
What is harvester?
A Python script but it’s used to gather emails, subdomains, hosts, employee names, open ports, and banners from different public sources like search engines PGP key servers and SHODAN databases
It is a reconnaissance tool
What is sn1per?
An automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities across your network
What is scanless?
A utility that’s used to create an exploitation website that can perform open port scans in a more stealthy manner
*** Essentially, you can set up a web server that can do all of your scans for you against those given targets
What is dnesnum?
A utility that’s used for DNS enumeration and it’s used to locate all the DNS servers and DNS entries for a given organization
What is Nessus?
A proprietary vulnerability scanner that can remotely scan a computer or network for vulnerabilities
*** This is an infrastructure scanner for things like routers, switches, hosts and servers
What is Cuckoo?
Open source software for automating analysis of suspicious files
*** Essentially, a sandbox environment
What is “head”?
A linux tool
A command-line utility for outputting the first 10 lines of a file that’s provided to it
What is “tail”?
A linux tool
A command-line utility for outputting the last 10 lines of a file
What is “cat”?
A linux tool
A command line utility for outputting the contents of a file to your sceen, all of that file.
What is “grep”?
A linux tool
A command-line utility for searching plain text data sets for lines that match a regular expression or a pattern
What is “chmod”?
A Linux tool
A command line utility that’s used to change the access permissions of file system objects
What is “logger”?
A linux tool
A utility that provides an easy to add messages to the /var/log/syslog file from the command line or from other files
What is SSH?
Shells & Scripts
Secure Shell
Utility that supports encrypted data transfer between two computers for secure logins, file transfers, or general purpose connections
What is Powershell?
Shells & Scripts
Only used in Windows
A task automation and configuration management framework from Microsoft and it consists of a command line shell and the associated scripting language which is known as Powershell
What is OpenSSL?
Shells & Scripts
A software library for applications that will help us secure communications over computer networks against eavesdropping or the need to identify the party at the other end.
If you use secure shell you will be using OpenSSL to protect it
What is tcpdump?
Packet Captures
A command line utility that allows you to capture and analyze network traffic going through your system
What is Wireshark?
Packet Captures
A network analysis tool that can be used to capture network packets and display them at a granular level for real-time or offline analysis
What is dd?
Forensics
A command line utility that’s used to copy disk images using a bit by bit copying process
What is a FTK imager?
FTK Imager works on Windows and it is a graphic user interface based tool.
A data preview and imaging tool and it’s going to let you quickly access electronic evidence to determine if you need to do further analysis with a forensic tool like FTK or EnCase or Autopsy
What is memdump?
Forensics
A Linux command line utility that is used to dump system memory to the standard output stream by skipping over holes in memory maps
*** A way to capture volatile information in memory before it changes
What is WinHex?
Forensics
A commercial product
A disk editor and universal hexadecimal editor that can be used for data recovery and digital forensics
What is Autopsy?
Forensics
A digital forensics platform and graphical user interface that is laid on top of The Sleuth tool kit.
*** It tries to make hard to use command line tools easier by providing a graphic user interface to them
What is Metasploit?
Exploitation
Also known as Metasploit Framework or MSF
A computer security tool that offers information about software vulnerabilities, IDS development, and improves penetration testing.
What is BeEF?
Exploitation
Browser Exploitation Framework
A tool that can hook one or more browsers and then use them as a beachhead for launching various direct commands and further attacks against the system from within the browser context
*** Can be used as a penetration tester for behaving as a man in the middle attack between them and the system they’re trying to connect to
What is Cain and Abel
Exploitation
A password recovery tool that can be used to sniff the network, cracking encrypted passwords using dictionary, brute force, or cryptanalysis attacks. It can also record VoIP conversations, decoding scrambled passwords, reveal password boxes or analyze routing protocols
What is John the Ripper?
Exploitation
A cross platform password cracker. It’s open source. Known as a password security auditing tool and password recovery tool that’s available for most OSs. It can also use dictionary or brute force attacks like Cain and Able.
When collecting evidence, you should always follow the order of volatility. Collect the most volatile evidence first and the least last. How does this look?
- Always begin the collection with CPU registers and cache memory (L1/L2/L3/GPU)
- The contents of system memory (RAM), including the routing table, ARP cache, process tables, kernal statistics, and temporary file systems/swap space/virtual memory
- Lastly, move onto the collection of data storage devices like hard drives, SSDs and flash memory devices
What is the chain of custody?
This is used to document the collection and preservation of evidence from its initial acquisition throughout the handling leading up to the trial and during its preservation in case of an appeal or retrial
*** This is what would be required for evidence to be admissible in a court of law
