Section 31 - Incident Response Procedures Flashcards

Question 1

Q

What is an incident response?

Answer

A

A set of procedures that an investigator follows when they’re examining a computer security incident.

Question 2

Q

What is the basic six procedure for an incident response?

Answer

A

Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned

Question 3

Q

What happens during the preparation phase of an incident response?

Answer

A

Step 1

During this phase your organization is going to ensure that it has a well-planned incident response procedure, a strong security posture, and a knowledgeable chief information security officer who’s able to limit the damage to data and the company reputation if an incident response occurs.

Question 4

Q

What happens during the “identification” phase of an incident response?

Answer

A

Step 2

This is the process of recognizing whether an event is actually going to be categorized as an incident or not.

Question 5

Q

What happens during the “containment” phase of an incident response?

Answer

A

Step 3

This is focused on isolating the incident or problem.

Question 6

Q

What happens during the “eradication” phase of an incident response?

Answer

A

Step 4

This is the phase where we’re going to remove the threat or attack.

Question 7

Q

What happens during the “recovery” phase of an incident response?

Answer

A

Step 5

This is focused on making sure we do data restoration, system repair, and re-enabling any servers or networks that we took offline during our incident response.

Question 8

Q

What happens during the “lessons learned” phase of an incident response?

Answer

A

Step 6

This is a process that we use to document the incident response process and we make any changes to the procedures and the processes that we used that we want to make sure we do better next time.

Question 9

Q

What is an incident response team?

Answer

A

The key people available to respond to any incident that meets the severity and priority thresholds that are set out by your incident response plan, because not everything that you run into is going to require you to activate the whole team.

Question 10

Q

What are the positions on an incident response team?

Answer

A

Incident Response Manager/Team Lead

Security Analyst

Threat Researcher

Cross Functional Support

Question 11

Q

What is the role of an incident response manager/team lead?

Answer

A

This person is going to oversee and prioritize actions during the detection, analysis and containment of an incident.

Question 12

Q

What is the role of a security analyst?

Answer

A

These people play detective in order to determine what happened up to this point.

Question 13

Q

Security analysts may be assigned into two categories. What are these?

Answer

A

Triage analyst - assigned to work on the network during the incident response. They filter out false positives by properly configuring IDS/IPS as well as performing ongoing monitoring and analysis.

Forensic analyst - Focused on the detective work and trying to piece together what has already occurred on the network. They focus on recovering key artifacts and evidence to build a timeline of events.

Question 14

Q

What is the role of a threat researcher?

Answer

A

They complement your analysts by providing threat intelligence and overall context during the incident response. They work to always remain up to date on the current threats and with previous incidents that have occurred.

Question 15

Q

What is the role of a cross functional support?

Answer

A

This includes people from management or the executive team, someone from human resources, technical experts an attorney or lawyer or even public relations.

*** Anyone who comes from outside the incident response team itself and across the entire organization

Question 16

Q

Your incident response team is often known as a…?

Answer

A

CSIRT

Computer Security Incident Response Team

They should be your single point of contact for security incidents

Question 17

Q

What is an out-of-band communication system?

Answer

A

Where your signals are being sent between two parties or two devices that are sent via a path or method that’s different from the primary communication between.

*** Often this is established as a backup method to communicate in case your primary means has been compromised.

Question 18

Q

What is an example of an out-of-band communication system?

Answer

A

WhatsApp
Signal
Off-the-Record

These apps have a messaging system with end-to-end encryption so no attacker can see the information being exchanged.

Question 19

Q

What is an escalation procedure?

Answer

A

This is the procedure you follow to determine at what point you should call in your incident response team.

Question 20

Q

What is a SIEM?

Answer

A

Security Information and Event Monitoring System

Through a multitude of different data sources, this provides us with real-time analysis of security alerts that are generated by applications and network hardware.

Question 21

Q

When talking about a SIEM, the first thing we have to think about is…?

Answer

A

Our sensor

This is the actual endpoint that’s being monitored. The sensor can feed data up into the SIEM.

Question 22

Q

Another thing we have to think about with our SIEMs is their…?

Answer

A

Sensitivity

This is focused on how much or how little you are going to be logging.

Question 23

Q

By using a SIEM and it’s graphical ability to look across logs, we can start seeing ___ in our network.

Question 24

Q

Inside the SIEM, we can set it up so there’s certain ___ that happen based on certain parameters.

Question 25

Q

This is one of the big things within a SIEM. We’re getting data from a lot of different sources and all of these things need to be ____.

Answer

A

correlated

Question 26

Q

What is a log file?

Answer

A

Any file that records either events that occur in an operating system or other software that’s running.

Question 27

Q

There’s lot of different types of log files out there. What are they?

Answer

A

Network Log Files - tracks all things going through routers and switches

System Log Files - tracks all things happening on an individual host or server

Application Log Files - tells us exactly what each application is doing on a given system

Security Log Files - proxy server logs (websites that have been accessed by your users)

DNS Log Files - Requests made of that DNS server

Authentication Log Files - tells us any kind of authentication across our files, systems and servers.

Dump Files - logs when things happen to crash

Question 28

Q

What is syslog, ryslog and syslog-ng?

Answer

A

Three variations that do the same thing.

They all permit logging of data from different types of systems into a central repository.

Question 29

Q

One of the things our SIEM relies heavily on is using…?

Answer

A

syslog, rsyslog or syslog-ng

It uses the data from these logs to grab information from various endpoints and dump into itself.

Question 30

Q

What is journactl?

Answer

A

This is a Linux command-line utility that’s used for querying and displaying logs from the journald, which is the journal daemon, which is basically the logging service for systemd on a a Linux machine.

*** Basically this how you are able to look at the logs on a Linux machine.

Question 31

Q

What is nxlog?

Answer

A

A multi-platform log management tool that helps us to easily identify security risks, policy breaches, or analyze operational problems in server logs, operational system logs, and application logs.

*** remember that this is a multi-platform/cross-platform tool and it’s open source.

Question 32

Q

Nxlog and syslog are very similiar but how do they differ?

Answer

A

syslog, rsyslog, syslog-ng only work on Linux and Unix systems but nxlog is cross-platform capable.

Question 33

Q

What is netflow?

Answer

A

It’s a network protocol system created by Cisco that collects active IP network traffic as it’s flowing into or out of an interface.

*** So the things that are going into or out of your network through the firewall or through a router, netflow can capture that information.

Question 34

Q

What is the difference between a full packet capture and netflow?

Answer

A

Netflow is more of a summarization of data.

Full packet capture will capture everything. Every single one and zero that’s going in and out of our network.

Question 35

Q

What is sflow?

Answer

A

Sampled Flow

An open source version of netflow.

Where netflow is made by Cisco and is proprietary slfow is more of a generic version.

Question 36

Q

What is IPfix?

Answer

A

Internet Protocol Information Export

A universal standard for the export of Internet Protocol Flow Information from your routers, your probes, and other devices. That’s going to be used by mediation systems, accounting and billing systems, and network management systems to facilitate services such as measurement, accounting and billing by defining how IP flow information is to be formatted and transferred from an exporter to a collector.

Question 37

Q

What is metadata?

Answer

A

Metadata is data that describes other data. Basically, by providing an underlying definition or description by summarizing basic information about the data that makes finding and working with particular instances of data much easier.

*** Essentially, this is data about the data.

Question 38

Q

The first thing you need to know about forensics is everything we do we use…?

Answer

A

written procedures

These are going to ensure that personnel handle forensics properly, effectively, and in compliance with required regulations.

Question 39

Q

Basic forensic procedures is a four step process. What are the steps?

Answer

A

Identification
Collection
Analysis
Reporting

Question 40

Q

What is the identification step of the basic forensic procedures?

Answer

A

This is going to ensure the scene is safe, we have made sure we secure the scene to prevent any evidence contamination, and we identify the scope of the evidence to be collected.

Question 41

Q

What is the collection step of the basic forensic procedures?

Answer

A

We have to ensure that we have authorization to collect the evidence. Then, we document and prove the integrity of the evidence as it’s collected.

Question 42

Q

What is the analysis step of the basic forensic procedures?

Answer

A

Create a copy of evidence for analysis and use repeatable methods and tools during analysis

Question 43

Q

What is the reporting step of the basic forensic procedures?

Answer

A

Create a report of the methods and tools used in the investigation and present detailed findings and conclusions based on the analysis

Question 44

Q

What is the concept of a legal hold?

Answer

A

A process that designed to preserve all relevant information when litigation is reasonably expected to occur.

*** litigation = lawsuit

Question 45

Q

Forensic analysts have a code of ethics. What are they?

Answer

A

Analysis must be performed without bias
Analyst methods have to be repeatable by third parties
Evidence must not be changed or manipulated

Question 46

Q

What is the best way to present information as part of your analysis and report?

Answer

A

Using a timeline

This will show the sequence of file system events within a source image in a graphical format

Question 47

Q

What do you use digital forensic collection techniques for?

Answer

A

Used to make forensic images of the data on those servers and use that evidence for later analysis this then allows your incident response team to help get your server back online as quickly as possible and resume operations while also maintaining evidence

Question 48

Q

What is data acquisition?

Answer

A

The method and tools used to create a forensically sound copy of the data from a source device, such as system memory, or a hard disk.

Question 49

Q

What is tracert/traceroute?

Answer

A

A networking tool

A network diagnostic command for displaying possible routes and measuring transit delays of packets as they go across an IP network

*** You can use this to see all the different routers you went through in order to get a specific web server

Question 50

Q

What is nslookup and dig?

Answer

A

A networking tool

These are utilities that are used to determine the IP address associated with the domain name, obtaining the mail server settings for a domain and other DNS information

Question 51

Q

what is the difference between nslookup and dig?

Answer

A

nslookup = is the name server lookup

dig = allows you to dig through those DNS records and get information. This tool is also not available for Windows machines.

Question 52

Q

What is ipconfig and ifconfig?

Answer

A

These are utilites that display all the network configurations of the currently connected network devices and they can be used to modify DHCP and DNS settings

Question 53

Q

What is the difference between ipconfig and ifconfig?

Answer

A

ipconfig = Windows
ifconfig = Linux/Unix

Question 54

Q

What is nmap?

Answer

A

An open-source network scanner that is used to discover hosts and services on a computer network by sending packets and analyzing their responses

*** For the test, you should know how to look at the output from nmap and be able to read itn and then pick out open vs closed ports

Question 55

Q

What is ping/pathping?

Answer

A

Utility used to determine if a host is reachable on an internet protocol network

Question 56

Q

What is hping?

Answer

A

An open source packet generator and also an analyzer

It is used for the TCP/IP protocol and for security auditing and testing of firewalls and networks

Question 57

Q

What is netstat?

Answer

A

A utility that displays the network connections for the transmission control protocol (TCP) as well as routing tables and a number of other interface and network protocol statistics

*** essentially, this will let you see all of the different things that your computer is connected to right now

Question 58

Q

what is netcat?

Answer

A

A utility for reading from and writing to network connections using their UDP or TCP which allows it to be used as a dependable backend that can be used directly or easily drive by other programs and scripts

*** You can use this to connect a web server, you’ll get a text response back and you can read the code that the web server sent to you. That way you can under what OS it is and what type of software is being used on it. You can use it to have a shell connection and remotely control a machine.

Question 59

Q

What is ARP?

Answer

A

A utility for viewing and modifying the local address resolution protocol or ARP cache on a given host or server

*** ARP is a layer 2 protocol. Instead of using IP addresses when on the local area network, you use ARP messages and we transfer information based on their MAC address, not their IP address. ARP cache is actually that mapping. If you think about how DNS is used for IP addresses to domain names, ARP is like that, but going from MAC addresses to IP addresses. You can use that ARP tool to see what IP and MAC addresses are bound together.

Question 60

Q

What is route?

Answer

A

A utility to be able to view and manipulate the IP routing table on a given host or server

Question 61

Q

What is a default gateway?

Answer

A

Your router on your network

Question 62

Q

What is curl?

Answer

A

A command line tool that’s used to transfer data to or from a server using any of a number of different protocols

Question 63

Q

What is harvester?

Answer

A

A Python script but it’s used to gather emails, subdomains, hosts, employee names, open ports, and banners from different public sources like search engines PGP key servers and SHODAN databases

It is a reconnaissance tool

Question 64

Q

What is sn1per?

Answer

A

An automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities across your network

Answer 63

A

A utility that’s used to create an exploitation website that can perform open port scans in a more stealthy manner

*** Essentially, you can set up a web server that can do all of your scans for you against those given targets

Answer 64

A

A utility that’s used for DNS enumeration and it’s used to locate all the DNS servers and DNS entries for a given organization

Answer 65

A

A proprietary vulnerability scanner that can remotely scan a computer or network for vulnerabilities

*** This is an infrastructure scanner for things like routers, switches, hosts and servers

Answer 66

A

Open source software for automating analysis of suspicious files

*** Essentially, a sandbox environment

Answer 67

A

A linux tool

A command-line utility for outputting the first 10 lines of a file that’s provided to it

Answer 68

A

A linux tool

A command-line utility for outputting the last 10 lines of a file

Answer 69

A

A linux tool

A command line utility for outputting the contents of a file to your sceen, all of that file.

Answer 70

A

A linux tool

A command-line utility for searching plain text data sets for lines that match a regular expression or a pattern

Answer 71

A

A Linux tool

A command line utility that’s used to change the access permissions of file system objects

Answer 72

A

A linux tool

A utility that provides an easy to add messages to the /var/log/syslog file from the command line or from other files

Answer 73

A

Shells & Scripts

Secure Shell

Utility that supports encrypted data transfer between two computers for secure logins, file transfers, or general purpose connections

Answer 74

A

Shells & Scripts

Only used in Windows

A task automation and configuration management framework from Microsoft and it consists of a command line shell and the associated scripting language which is known as Powershell

Answer 75

A

Shells & Scripts

A software library for applications that will help us secure communications over computer networks against eavesdropping or the need to identify the party at the other end.

If you use secure shell you will be using OpenSSL to protect it

Answer 76

A

Packet Captures

A command line utility that allows you to capture and analyze network traffic going through your system

Answer 77

A

Packet Captures

A network analysis tool that can be used to capture network packets and display them at a granular level for real-time or offline analysis

Answer 78

A

Forensics

A command line utility that’s used to copy disk images using a bit by bit copying process

Answer 79

A

FTK Imager works on Windows and it is a graphic user interface based tool.

A data preview and imaging tool and it’s going to let you quickly access electronic evidence to determine if you need to do further analysis with a forensic tool like FTK or EnCase or Autopsy

Answer 80

A

Forensics

A Linux command line utility that is used to dump system memory to the standard output stream by skipping over holes in memory maps

*** A way to capture volatile information in memory before it changes

Answer 81

A

Forensics

A commercial product

A disk editor and universal hexadecimal editor that can be used for data recovery and digital forensics

Answer 82

A

Forensics

A digital forensics platform and graphical user interface that is laid on top of The Sleuth tool kit.

*** It tries to make hard to use command line tools easier by providing a graphic user interface to them

Answer 83

A

Exploitation

Also known as Metasploit Framework or MSF

A computer security tool that offers information about software vulnerabilities, IDS development, and improves penetration testing.

Answer 84

A

Exploitation

Browser Exploitation Framework

A tool that can hook one or more browsers and then use them as a beachhead for launching various direct commands and further attacks against the system from within the browser context

*** Can be used as a penetration tester for behaving as a man in the middle attack between them and the system they’re trying to connect to

Answer 85

A

Exploitation

A password recovery tool that can be used to sniff the network, cracking encrypted passwords using dictionary, brute force, or cryptanalysis attacks. It can also record VoIP conversations, decoding scrambled passwords, reveal password boxes or analyze routing protocols

Answer 86

A

Exploitation

A cross platform password cracker. It’s open source. Known as a password security auditing tool and password recovery tool that’s available for most OSs. It can also use dictionary or brute force attacks like Cain and Able.

Answer 87

A

Always begin the collection with CPU registers and cache memory (L1/L2/L3/GPU)
The contents of system memory (RAM), including the routing table, ARP cache, process tables, kernal statistics, and temporary file systems/swap space/virtual memory
Lastly, move onto the collection of data storage devices like hard drives, SSDs and flash memory devices

Answer 88

A

This is used to document the collection and preservation of evidence from its initial acquisition throughout the handling leading up to the trial and during its preservation in case of an appeal or retrial

*** This is what would be required for evidence to be admissible in a court of law

Brainscape's Knowledge GenomeTM

Section 31 - Incident Response Procedures Flashcards

Brainscape's Knowledge Genome^TM