Section 31 - Incident Response Procedures

Question 1

What is an incident response?

Answer 1

A set of procedures that an investigator follows when they’re examining a computer security incident.

Question 2

What is the basic six procedure for an incident response?

Answer 2

1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned

Question 3

What happens during the preparation phase of an incident response?

Answer 3

Step 1

During this phase your organization is going to ensure that it has a well-planned incident response procedure, a strong security posture, and a knowledgeable chief information security officer who’s able to limit the damage to data and the company reputation if an incident response occurs.

Question 4

What happens during the “identification” phase of an incident response?

Answer 4

Step 2

This is the process of recognizing whether an event is actually going to be categorized as an incident or not.

Question 5

What happens during the “containment” phase of an incident response?

Answer 5

Step 3

This is focused on isolating the incident or problem.

Question 6

What happens during the “eradication” phase of an incident response?

Answer 6

Step 4

This is the phase where we’re going to remove the threat or attack.

Question 7

What happens during the “recovery” phase of an incident response?

Answer 7

Step 5

This is focused on making sure we do data restoration, system repair, and re-enabling any servers or networks that we took offline during our incident response.

Question 8

What happens during the “lessons learned” phase of an incident response?

Answer 8

Step 6

This is a process that we use to document the incident response process and we make any changes to the procedures and the processes that we used that we want to make sure we do better next time.

Question 9

What is an incident response team?

Answer 9

The key people available to respond to any incident that meets the severity and priority thresholds that are set out by your incident response plan, because not everything that you run into is going to require you to activate the whole team.

Question 10

What are the positions on an incident response team?

Answer 10

Incident Response Manager/Team Lead

Security Analyst

Threat Researcher

Cross Functional Support

Question 11

What is the role of an incident response manager/team lead?

Answer 11

This person is going to oversee and prioritize actions during the detection, analysis and containment of an incident.

Question 12

What is the role of a security analyst?

Answer 12

These people play detective in order to determine what happened up to this point.

Question 13

Security analysts may be assigned into two categories. What are these?

Answer 13

Triage analyst - assigned to work on the network during the incident response. They filter out false positives by properly configuring IDS/IPS as well as performing ongoing monitoring and analysis.

Forensic analyst - Focused on the detective work and trying to piece together what has already occurred on the network. They focus on recovering key artifacts and evidence to build a timeline of events.

Question 14

What is the role of a threat researcher?

Answer 14

They complement your analysts by providing threat intelligence and overall context during the incident response. They work to always remain up to date on the current threats and with previous incidents that have occurred.

Question 15

What is the role of a cross functional support?

Answer 15

This includes people from management or the executive team, someone from human resources, technical experts an attorney or lawyer or even public relations.

*** Anyone who comes from outside the incident response team itself and across the entire organization

Question 16

Your incident response team is often known as a…?

Answer 16

CSIRT

Computer Security Incident Response Team

They should be your single point of contact for security incidents

Question 17

What is an out-of-band communication system?

Answer 17

Where your signals are being sent between two parties or two devices that are sent via a path or method that’s different from the primary communication between.

*** Often this is established as a backup method to communicate in case your primary means has been compromised.

Question 18

What is an example of an out-of-band communication system?

Answer 18

WhatsApp
Signal
Off-the-Record

These apps have a messaging system with end-to-end encryption so no attacker can see the information being exchanged.

Question 19

What is an escalation procedure?

Answer 19

This is the procedure you follow to determine at what point you should call in your incident response team.

Question 20

What is a SIEM?

Answer 20

Security Information and Event Monitoring System

Through a multitude of different data sources, this provides us with real-time analysis of security alerts that are generated by applications and network hardware.

Question 21

When talking about a SIEM, the first thing we have to think about is…?

Answer 21

Our sensor

This is the actual endpoint that’s being monitored. The sensor can feed data up into the SIEM.

Question 22

Another thing we have to think about with our SIEMs is their…?

Answer 22

Sensitivity

This is focused on how much or how little you are going to be logging.

Question 23

By using a SIEM and it’s graphical ability to look across logs, we can start seeing ___ in our network.

Answer 23

Trends

Question 24

Inside the SIEM, we can set it up so there’s certain ___ that happen based on certain parameters.

Answer 24

alerts

Question 25

This is one of the big things within a SIEM. We're getting data from a lot of different sources and all of these things need to be ____.

Answer 25

correlated

Question 26

What is a log file?

Answer 26

Any file that records either events that occur in an operating system or other software that's running.

Question 27

There's lot of different types of log files out there. What are they?

Answer 27

Network Log Files - tracks all things going through routers and switches System Log Files - tracks all things happening on an individual host or server Application Log Files - tells us exactly what each application is doing on a given system Security Log Files - proxy server logs (websites that have been accessed by your users) DNS Log Files - Requests made of that DNS server Authentication Log Files - tells us any kind of authentication across our files, systems and servers. Dump Files - logs when things happen to crash

Question 28

What is syslog, ryslog and syslog-ng?

Answer 28

Three variations that do the same thing. They all permit logging of data from different types of systems into a central repository.

Question 29

One of the things our SIEM relies heavily on is using...?

Answer 29

syslog, rsyslog or syslog-ng It uses the data from these logs to grab information from various endpoints and dump into itself.

Question 30

What is journactl?

Answer 30

This is a Linux command-line utility that's used for querying and displaying logs from the journald, which is the journal daemon, which is basically the logging service for systemd on a a Linux machine. *** Basically this how you are able to look at the logs on a Linux machine.

Question 31

What is nxlog?

Answer 31

A multi-platform log management tool that helps us to easily identify security risks, policy breaches, or analyze operational problems in server logs, operational system logs, and application logs. *** remember that this is a multi-platform/cross-platform tool and it's open source.

Question 32

Nxlog and syslog are very similiar but how do they differ?

Answer 32

syslog, rsyslog, syslog-ng only work on Linux and Unix systems but nxlog is cross-platform capable.

Question 33

What is netflow?

Answer 33

It's a network protocol system created by Cisco that collects active IP network traffic as it's flowing into or out of an interface. *** So the things that are going into or out of your network through the firewall or through a router, netflow can capture that information.

Question 34

What is the difference between a full packet capture and netflow?

Answer 34

Netflow is more of a summarization of data. Full packet capture will capture everything. Every single one and zero that's going in and out of our network.

Question 35

What is sflow?

Answer 35

Sampled Flow An open source version of netflow. Where netflow is made by Cisco and is proprietary slfow is more of a generic version.

Question 36

What is IPfix?

Answer 36

Internet Protocol Information Export A universal standard for the export of Internet Protocol Flow Information from your routers, your probes, and other devices. That's going to be used by mediation systems, accounting and billing systems, and network management systems to facilitate services such as measurement, accounting and billing by defining how IP flow information is to be formatted and transferred from an exporter to a collector.

Question 37

What is metadata?

Answer 37

Metadata is data that describes other data. Basically, by providing an underlying definition or description by summarizing basic information about the data that makes finding and working with particular instances of data much easier. *** Essentially, this is data about the data.

Question 38

The first thing you need to know about forensics is everything we do we use...?

Answer 38

written procedures These are going to ensure that personnel handle forensics properly, effectively, and in compliance with required regulations.

Question 39

Basic forensic procedures is a four step process. What are the steps?

Answer 39

1. Identification 2. Collection 3. Analysis 4. Reporting

Question 40

What is the identification step of the basic forensic procedures?

Answer 40

This is going to ensure the scene is safe, we have made sure we secure the scene to prevent any evidence contamination, and we identify the scope of the evidence to be collected.

Question 41

What is the collection step of the basic forensic procedures?

Answer 41

We have to ensure that we have authorization to collect the evidence. Then, we document and prove the integrity of the evidence as it's collected.

Question 42

What is the analysis step of the basic forensic procedures?

Answer 42

Create a copy of evidence for analysis and use repeatable methods and tools during analysis

Question 43

What is the reporting step of the basic forensic procedures?

Answer 43

Create a report of the methods and tools used in the investigation and present detailed findings and conclusions based on the analysis

Question 44

What is the concept of a legal hold?

Answer 44

A process that designed to preserve all relevant information when litigation is reasonably expected to occur. *** litigation = lawsuit

Question 45

Forensic analysts have a code of ethics. What are they?

Answer 45

1. Analysis must be performed without bias 2. Analyst methods have to be repeatable by third parties 3. Evidence must not be changed or manipulated

Question 46

What is the best way to present information as part of your analysis and report?

Answer 46

Using a timeline This will show the sequence of file system events within a source image in a graphical format

Question 47

What do you use digital forensic collection techniques for?

Answer 47

Used to make forensic images of the data on those servers and use that evidence for later analysis this then allows your incident response team to help get your server back online as quickly as possible and resume operations while also maintaining evidence

Question 48

What is data acquisition?

Answer 48

The method and tools used to create a forensically sound copy of the data from a source device, such as system memory, or a hard disk.

Question 49

What is tracert/traceroute?

Answer 49

A networking tool A network diagnostic command for displaying possible routes and measuring transit delays of packets as they go across an IP network *** You can use this to see all the different routers you went through in order to get a specific web server

Question 50

What is nslookup and dig?

Answer 50

A networking tool These are utilities that are used to determine the IP address associated with the domain name, obtaining the mail server settings for a domain and other DNS information

Question 51

what is the difference between nslookup and dig?

Answer 51

nslookup = is the name server lookup dig = allows you to dig through those DNS records and get information. This tool is also not available for Windows machines.

Question 52

What is ipconfig and ifconfig?

Answer 52

These are utilites that display all the network configurations of the currently connected network devices and they can be used to modify DHCP and DNS settings

Question 53

What is the difference between ipconfig and ifconfig?

Answer 53

ipconfig = Windows ifconfig = Linux/Unix

Question 54

What is nmap?

Answer 54

An open-source network scanner that is used to discover hosts and services on a computer network by sending packets and analyzing their responses *** For the test, you should know how to look at the output from nmap and be able to read itn and then pick out open vs closed ports

Question 55

What is ping/pathping?

Answer 55

Utility used to determine if a host is reachable on an internet protocol network

Question 56

What is hping?

Answer 56

An open source packet generator and also an analyzer It is used for the TCP/IP protocol and for security auditing and testing of firewalls and networks

Question 57

What is netstat?

Answer 57

A utility that displays the network connections for the transmission control protocol (TCP) as well as routing tables and a number of other interface and network protocol statistics *** essentially, this will let you see all of the different things that your computer is connected to right now

Question 58

what is netcat?

Answer 58

A utility for reading from and writing to network connections using their UDP or TCP which allows it to be used as a dependable backend that can be used directly or easily drive by other programs and scripts *** You can use this to connect a web server, you'll get a text response back and you can read the code that the web server sent to you. That way you can under what OS it is and what type of software is being used on it. You can use it to have a shell connection and remotely control a machine.

Question 59

What is ARP?

Answer 59

A utility for viewing and modifying the local address resolution protocol or ARP cache on a given host or server *** ARP is a layer 2 protocol. Instead of using IP addresses when on the local area network, you use ARP messages and we transfer information based on their MAC address, not their IP address. ARP cache is actually that mapping. If you think about how DNS is used for IP addresses to domain names, ARP is like that, but going from MAC addresses to IP addresses. You can use that ARP tool to see what IP and MAC addresses are bound together.

Question 60

What is route?

Answer 60

A utility to be able to view and manipulate the IP routing table on a given host or server

Question 61

What is a default gateway?

Answer 61

Your router on your network

Question 62

What is curl?

Answer 62

A command line tool that's used to transfer data to or from a server using any of a number of different protocols

Question 63

What is harvester?

Answer 63

A Python script but it's used to gather emails, subdomains, hosts, employee names, open ports, and banners from different public sources like search engines PGP key servers and SHODAN databases It is a reconnaissance tool

Question 64

What is sn1per?

Answer 64

An automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities across your network

Question 65

What is scanless?

Answer 65

A utility that's used to create an exploitation website that can perform open port scans in a more stealthy manner *** Essentially, you can set up a web server that can do all of your scans for you against those given targets

Question 66

What is dnesnum?

Answer 66

A utility that's used for DNS enumeration and it's used to locate all the DNS servers and DNS entries for a given organization

Question 67

What is Nessus?

Answer 67

A proprietary vulnerability scanner that can remotely scan a computer or network for vulnerabilities *** This is an infrastructure scanner for things like routers, switches, hosts and servers

Question 68

What is Cuckoo?

Answer 68

Open source software for automating analysis of suspicious files *** Essentially, a sandbox environment

Question 69

What is "head"?

Answer 69

A linux tool A command-line utility for outputting the first 10 lines of a file that's provided to it

Question 70

What is "tail"?

Answer 70

A linux tool A command-line utility for outputting the last 10 lines of a file

Question 71

What is "cat"?

Answer 71

A linux tool A command line utility for outputting the contents of a file to your sceen, all of that file.

Question 72

What is "grep"?

Answer 72

A linux tool A command-line utility for searching plain text data sets for lines that match a regular expression or a pattern

Question 73

What is "chmod"?

Answer 73

A Linux tool A command line utility that's used to change the access permissions of file system objects

Question 74

What is "logger"?

Answer 74

A linux tool A utility that provides an easy to add messages to the /var/log/syslog file from the command line or from other files

Question 75

What is SSH?

Answer 75

Shells & Scripts Secure Shell Utility that supports encrypted data transfer between two computers for secure logins, file transfers, or general purpose connections

Question 76

What is Powershell?

Answer 76

Shells & Scripts Only used in Windows A task automation and configuration management framework from Microsoft and it consists of a command line shell and the associated scripting language which is known as Powershell

Question 77

What is OpenSSL?

Answer 77

Shells & Scripts A software library for applications that will help us secure communications over computer networks against eavesdropping or the need to identify the party at the other end. If you use secure shell you will be using OpenSSL to protect it

Question 78

What is tcpdump?

Answer 78

Packet Captures A command line utility that allows you to capture and analyze network traffic going through your system

Question 79

What is Wireshark?

Answer 79

Packet Captures A network analysis tool that can be used to capture network packets and display them at a granular level for real-time or offline analysis

Question 80

What is dd?

Answer 80

Forensics A command line utility that's used to copy disk images using a bit by bit copying process

Question 81

What is a FTK imager?

Answer 81

FTK Imager works on Windows and it is a graphic user interface based tool. A data preview and imaging tool and it's going to let you quickly access electronic evidence to determine if you need to do further analysis with a forensic tool like FTK or EnCase or Autopsy

Question 82

What is memdump?

Answer 82

Forensics A Linux command line utility that is used to dump system memory to the standard output stream by skipping over holes in memory maps *** A way to capture volatile information in memory before it changes

Question 83

What is WinHex?

Answer 83

Forensics A commercial product A disk editor and universal hexadecimal editor that can be used for data recovery and digital forensics

Question 84

What is Autopsy?

Answer 84

Forensics A digital forensics platform and graphical user interface that is laid on top of The Sleuth tool kit. *** It tries to make hard to use command line tools easier by providing a graphic user interface to them

Question 85

What is Metasploit?

Answer 85

Exploitation Also known as Metasploit Framework or MSF A computer security tool that offers information about software vulnerabilities, IDS development, and improves penetration testing.

Question 86

What is BeEF?

Answer 86

Exploitation Browser Exploitation Framework A tool that can hook one or more browsers and then use them as a beachhead for launching various direct commands and further attacks against the system from within the browser context *** Can be used as a penetration tester for behaving as a man in the middle attack between them and the system they're trying to connect to

Question 87

What is Cain and Abel

Answer 87

Exploitation A password recovery tool that can be used to sniff the network, cracking encrypted passwords using dictionary, brute force, or cryptanalysis attacks. It can also record VoIP conversations, decoding scrambled passwords, reveal password boxes or analyze routing protocols

Question 88

What is John the Ripper?

Answer 88

Exploitation A cross platform password cracker. It's open source. Known as a password security auditing tool and password recovery tool that's available for most OSs. It can also use dictionary or brute force attacks like Cain and Able.

Question 89

When collecting evidence, you should always follow the order of volatility. Collect the most volatile evidence first and the least last. How does this look?

Answer 89

1. Always begin the collection with CPU registers and cache memory (L1/L2/L3/GPU) 2. The contents of system memory (RAM), including the routing table, ARP cache, process tables, kernal statistics, and temporary file systems/swap space/virtual memory 3. Lastly, move onto the collection of data storage devices like hard drives, SSDs and flash memory devices

Question 90

What is the chain of custody?

Answer 90

This is used to document the collection and preservation of evidence from its initial acquisition throughout the handling leading up to the trial and during its preservation in case of an appeal or retrial *** This is what would be required for evidence to be admissible in a court of law