Topic 12A Flashcards
cybersecurity incident
a successful or attempted violation of the security properties of an asset, compromising its confidentiality, integrity, or availability. Incident response (IR) policy sets the resources, processes, and guidelines for dealing with cybersecurity incidents.
incident response lifecycle is a seven-step process:
Preparation
Detection
Analysis
Containment
Eradication
Recovery
Lessons learned
Case management tools
provide a database for logging incident details and coordinating response activities across a team of responders.
Preparation Phase:
Cybersecurity infrastructure:
Digital forensics
Incident detection tools
Case management tools
Cyber incident response team:
Legal - compliance laws
Human Resources - deals with employee contracts, employment law, and underlying personnel issues
Public relations
Communication plan:
Call list - A document listing authorized contacts for notification and collaboration during a security incident.
Stakeholder management
Incident response plan:
This lists the procedures, contacts, and resources available to responders for various incident categories.
Detection Phase:
is the process of correlating events from network and system data sources and determining whether they are indicators of an incident.
First responder:
The first experienced person or team to arrive at the scene of an incident.
Detection indicators may be recorded in a multitude of ways:
Matching events in log files, error messages, IDS alerts, firewall alerts, and other data sources to a pattern of known threat behavior.
Identifying deviations from baseline system metrics.
Manually or physical inspecting the site, premises, networks, and hosts. Running a proactive search for signs of intrusion is referred to as threat hunting.
Notification by an employee, customer, or supplier.
Publicly reporting new vulnerabilities or threats by a system vendor, regulator, the media, or other outside party.
Analysis
Impact:
Data integrity
Downtime
Economic/publicity
Scope
Detection time
Recovery time
Kill chain category:
A model developed by Lockheed Martin that describes the stages by which a threat actor progresses to a network intrusion. The stages go in the following order:
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command & Control
Actions on Objectives
Playbooks:
A playbook is a data-driven standard operating procedure (SOP) to assist analysts in detecting and responding to specific cyber threat scenarios. The playbook starts with a report from an alert dashboard. It then leads the analyst through the analysis, containment, eradication, recovery, and lessons learned steps to take.
Containment
issues facing the CIRT are the following:
What damage or theft has occurred already? How much more could be inflicted?
What countermeasures are available? What are their costs and implications?
What actions could alert the threat actor that the attack has been detected? What evidence of the attack must be gathered and preserved?
What notification or reporting is required at this stage of the incident?
Isolation-Based Containment:
A simple option is to disconnect the host from the network by pulling the network plug
Use a sinkhole - If a group of hosts is affected, you could use routing infrastructure to isolate one or more infected virtual LANs (VLANs). Not reachable from the rest of the network
Disable account or application
Segmentation-Based Containment:
uses VLANs, routing/subnets, and firewall ACLs to prevent a host or group of hosts from communicating outside the protected segment.
As opposed to completely isolating the hosts, you might configure the protected segment as a sinkhole or honeynet and allow the attacker to continue to receive filtered (and possibly modified) output to deceive them into thinking the attack is progressing successfully.
Eradication and Recover
ensuring that the system cannot be compromised through the same attack vector, or failing that, that the vector is closely monitored to provide advance warning of another attack.
Reconstitution of affected systems—by either removing the malicious files or tools from affected systems or restoring the systems from secure backups/images.
Re-audit security controls—by ensuring they are not vulnerable to another attack. This could be the same attack or from some new attack that the attacker could launch through information they have gained about the network.
Ensure that affected parties are notified and provided with the means to remediate their own systems. For example, if customers’ passwords are stolen, they should be advised to change the credentials
Lessons learned meeting participants:
staff directly involved along with other noninvolved incident handlers, who can provide objective, external perspectives.
Lessons learned report
An analysis of events that can provide insight into how to improve response and support processes in the future.
root cause analysis
A technique used to determine the true cause of the problem that, when removed, prevents the problem from occurring again
“five whys” model
Used to find the root cause.
This starts with a statement of the problem and then poses successive “Why” questions to drill down to root causes
One issue is that this can branch into different directions of inquiry
Tabletop exercise
this is the least costly type of testing.
The facilitator presents a scenario, and the responders explain what action they would take to identify, contain, and eradicate the threat.
The training does not use computer systems.
The scenario data is presented as flash cards.
Walkthroughs
a facilitator presents the scenario as for a tabletop exercise, but the incident responders demonstrate what actions they would take in response.
the responders perform actions such as running scans and analyzing sample files, typically on sandboxed versions of the company’s actual response and recovery tools.
Simulations
a simulation is a team-based exercise, where the red team attempts an intrusion, the blue team operates response and recovery controls, and a white team moderates and evaluates the exercise.
This type of training requires considerable investment and planning.
