Security Plus - Chapter 14 Flashcards
Incident
A violation of the organization’s policies, procedures, or security practices.
Event
An observable occurrence of an activity that does not follow normal expected results.
There are many events, but very few events become an incident.
Incident Response (IR) Process
Organizations must prepare for incidents, identify incidents when they occur, then contain and remove artifacts from the incident. Once the incident is contained, the organization can work to recover and return to normal operations, and then make sure that the lessons learned from the incident are baked into the preparation for the next time an incident occurs.
Incident Response (IR) Cycle
Preparation- Build the tools, processes, and procedures to respond to an incident.
- Build and train an IR team
- Conduct exercises
- Document what you will and how you will respond
- Acquiring, configuring and operating security tools and IR capabilities
Detection - Involves reviewing events to identify incidents.
- Pay attention to indicators of compromise
- Use log analysis and security monitoring capabilities
- Have a comprehensive awareness and reporting program
Analysis - Once an event has been identified as being part of an incident, it needs to be analyzed
- Identify other related events
- Identify a target and review
- Identify what impact occurred to the organization
Eradication - Remove the artifacts associated with the incident.
- Rebuild and restore systems and applications from backups
- This ensures that the system is back to last healthy image and eradication and verification is crucial to ensure the incident is over.
Recovery - Restoration back to normal operations.
- Bringing systems and services back online
- After eradication is successful
- Implementing fixes to ensure whatever weakness, flaw, or action that allowed the incident to occur has been remediated to prevent an immediate reoccurrence.
Lessons learned are an additional step that provides organizations the ability to review the incident response process and update the program to include updates to the process.
Incident Response (IR) Preparation
Defining the IR process is completed, the next step is to define the IR team. The next step is to build plans, then test the plans via exercises.
Incident Response (IR) Team
Teams must build with representatives from multiple areas of the organization. A member of leadership or management responsible for making decisions for the team and will act as a primary conduit to senior leadership. A leader must have enough seniority to be able to make decisions for the organization in an emergency. Information Security staff will make up the core of the IR team and will bring in specialized IR and analysis skills needed for the process. Members of the IS staff will provide technical expertise on systems, like system administrators, developers, and other disciplines from throughout the organization. Communications and public relations staff will help to make sure that internal and external communications are handled appropriately. Human Resources staff may be involved at times. Legal department will advise on any legal issues, contracts, etc. Law enforcement may be added to a team, but usually only when it is required.
Incident Response (IR) Exercises
Tabletop exercises - Used to talk through processes. Team members are given a scenario and are asked how they would respond, what issues might arise, and what they would need to do to accomplish the tasks they are assigned in the IR plan.
Simulations - Can include a variety of types of events. Exercises may require performing functions or elements of the IR plan, target specific parts of the plan, or specific areas of the organization. This can also be done at full scale involving all team members of the IR team. Note that it is important to know these exercises should not impact the organization in a negative way.
Building an Incident Response (IR) Plan
Communication Plan
Stakeholder Management Plan - Focuses on groups or individuals that are impacted by the incident. These can be either internal or external and may have different roles or expectations.
Business Continuity Plan - Focuses on keeping the organization functional when an incident occurs.
Disaster Recovery Plan - DR plan prepares for a natural or human-made disaster that may destroy a facility or infrastructure and cause the organization to not function normally.
Policies
Formal statements about organizational intent and explain why an organization operates in certain ways and defines the purpose or objective of the organization.
Training
Employees should be provided training to ensure they are able to perform their necessary required activities in the event of a disaster. This can be performed through internal processes or by utilizing external sources like CISA or other third-parties.
Threat Hunting
Helps organizations achieve the detection and analysis phases of the incident response process. The hunters look for Indicators of compromise (IoCs) which are associated with malicious actors and incidents.
- Account lockout - Usually due to brute-force login attempts or incorrect passwords being used.
Concurrent session usage - If a user is connected to more than one device when this is an abnormal action, this would be an IoC.
- Blocked content - An attacker may be trying to exfiltrate data and the content blocking software is sending notifications to be aware of this activity.
- Impossible travel - A user is trying to connect from two different locations in an unreasonable amount of time to get from one location to the other.
- Resource consumption - Filling up a disk drive or utilizing more bandwidth for uploads or downloads.
- Resource inaccessibility - If a resource or system is not able to be accessed during a time when access should be available.
- Out-of-cycle logging - When an event that happens at the same time or set cycle, occurs at an unusual time.
- Missing logs - May indicate that an attacker has wiped the logs to attempt to hide their actions.
- Published/documented - Describes IoCs that have previously been discovered or published. Normally distributed via threat feeds through information sharing organizations.
Attack Frameworks
MITRE ATT&CK - Adversarial Tactics, Techniques, and Common Knowledge knowledgebase of adversary tactics and techniques. Includes detailed descriptions, definitions, and examples for the complete threat lifecycle from reconnaissance through execution, persistence, privilege escalation, and impact.
Monitoring Computing Resources
Three types of monitoring:
- Systems monitoring - Done via systems logs as well as through central management tools, including those found in cloud services.
System health and performance information may be aggregated and analyzed through those management tools.
- Application monitoring - May involve application logs, interfaces and performance monitoring tools.
- Infrastructure monitoring - Logs being generated from devices like SNMP, syslog are examples of logs that can be generated.
Security Information and Event Management (SIEM)
SIEM devices and software are broad security capabilities which are based on the ability to collect and aggregate log data from a variety of sources and then perform correlations and analysis activities with the data. The SIEM ingests the data compares to other data and it has, applies rules, analytical techniques, and machine learning to the data.
SIEM Dashboards - May contain sensors, that gather and send information, trending and alerting capabilities, correlation engines and rules, and methods to set sensitivity and levels.
- Sensitivity& thresholds - Set thresholds, filter rules, and other methods to manage the data being sent to the SIEM as too much data can cause overloading the SIEM. Helps avoid alert fatigue and false positives. Alert fatigue - Alerts are sent so often and there are so many that analysts stop responding to them.
- Trends - Can point to a new problem, an exploit that is occurring, or malware that’s becoming prevalent.
- Alerts and alarms - Categorized by their time and severity, then provides detailed information that can be drilled into to investigate the activity in further detail. Alert tuning is the process of modifying alerts to one alarm on important events.
- Log aggregation, correlation, and analysis - Matching data points to other key data points for investigations. Correlation matches known events and IoCs to build a complete dataset for an incident or event. Rules - Alarms, alerts, and correlation are reviewed and rules are created to determine if alerts should be signaled. Logic is used to determine if and when a rule will be activated, then actions can trigger based on the rule.
Log files - Provide incident responders with information about what has occurred. The responders need to make sure the log files are not tampered with. Attackers may search these out to impede the responders ability to identify attack details.
- Firewall logs - Information about blocked and allowed traffic, can also provide application layer details or IDS/IPS functionality.
- Endpoint logs - Application installation logs, system and service logs and other logs available from endpoints.
- OS-specific security logs - Windows system store information about failed and successful logins and other authentication logs.
- IDS/IPS logs - Provides insight into attack traffic that is detected or blocked.
- Network logs - Includes logs for routers and switches, config changes, traffic information, network flows, and data captured by packet analyzers.
- Logging protocols and tools - Syslog, rsyslog, syslog-ng, NXLog. Be aware of how much data is being collected to ensure system capabilities for processing and storage of data to not overwhelm the systems.
Metadata
Data generated as normal part of system operation, communication, and other activities can be used for incident response. Data about other data. Types of metadata:
- Email metadata - Includes details about the email including the sender, the recipient, date and time of message, attachment, where the email traveled from and through, including additional information contained in the header.
- Mobile metadata - Collected by phones and other devices like call logs, SMS message data, data usage, GPS location, cell tower information, and other cell data.
Web metadata - Data embedded into websites as part of the code but usually invisible to everyday users. Tags, headers, cookies, and other information like search engine, website functionality, advertising, and tracking.
File metadata - Data about when a file was created, how created, when modified, who modified, and additional details.
