Week 6

Question 1

Incident

Answer 1

A violation (or threat of violation) of your computer security policies or standard security practices. Some common examples include distributed denial of service (DDOS) attacks.

They are a subset of events defined as any observable occurrence in a system or network.

Question 2

Incident Response (IR)

Answer 2

The process of managing and containing the aftermath of a security incident.

The goal is to minimize the damage caused by the incident, restore normal operations as quickly as possible, and prevent similar incidents from happening in the future.

Question 3

Incident Response Stages

Answer 3

Preparation,
Identification,
Containment,
Eradication,
Recovery,
Lessons Learned;

Question 4

Preparation (IR)

Answer 4

This phase involves developing an incident response plan, identifying key stakeholders, and training personnel on how to respond to incidents.

Every security team should be prepared for an incident.

Question 5

Identification (IR)

Answer 5

This is the first step in incidence response.

In this phase, the incident is identified, usually through monitoring and logging systems, and an initial assessment is made of the scope and nature of the incident.

Question 6

Containment (IR)

Answer 6

This is the second step. Once the incident has been identified, the focus shifts to containing the damage and preventing the incident from spreading.

This might involve shutting down systems, disconnecting affected devices from the network, or blocking access to malicious domains or IP addresses.

Question 7

Eradication (IR)

Answer 7

This phase involves identifying and removing the source of the incident.

This might involve cleaning up malware, patching vulnerabilities, or restoring backups.

Question 8

Recovery (IR)

Answer 8

After the incident has been contained and eradicated, the focus shifts to restoring normal operations and services.

This might involve bringing systems and applications back online, testing to ensure they are working properly, and communicating with users and stakeholders about the incident.

Question 9

Lessons Learned (IR)

Answer 9

In this phase, the incident is reviewed to determine what went well and what could be improved.

The incident response team will document lessons learned and make recommendations for future incident response.

Question 10

Roles within an Incident Response Team

Answer 10

SOC analysts,
Malware reversal engineers,
Forensic experts,
Incident response managers,
Security analysts,
Threat researchers,
Other stakeholders,
Third parties.

Question 11

Incident Response Plan (IRP)

Answer 11

A document that outlines the steps an organization will take when responding to a security incident.

It typically includes information on the roles and responsibilities of different team members, the procedures for responding to different types of incidents, and the communication protocols that will be used during an incident.

Question 12

What types of incidents can occur?

Answer 12

Malicious code,
D/DOS,
Phishing
Unauthorized access,
Insider threat,
Data breach,
Targeted attack (often encompassing several of the above categories);

Question 13

Incident : Ransomware Signs

Answer 13

Files became encrypted in real-time,
Computer became locked denying the user access to its device,
Web browser became locked;

Question 14

Incident : Tools to analyze suspicious emails

Answer 14

PhishingEmail Analysis Tools,
URL/IP Reputation Check,
FIle/Attachment Analysis
Whois Record;

Question 15

Incident : Examine the logs

Answer 15

During incident response, It is important to examine logs to look out for possible Indicators of Compromise (IOC’s)

There are several types of logs these days in most organization’s network environments:
Firewall,
Proxy,
DNS,
Windows,
Office 365 (admin access can see malicious email on recipients email),
SIEM tools like Splunk, Logrhythm, and ArcSight;

Question 16

Tier 1 SOC Analyst (IR)

Answer 16

An entry-level role in which an individual is responsible for monitoring and analyzing security-related data from various sources, such as network traffic logs, security alerts, and system events.

They may also be responsible for identifying and triaging potential security incidents, and escalating them to higher-level SOC team members or incident response teams as necessary.

Question 17

Tier 2 SOC Analyst (IR)

Answer 17

A more senior role than a Tier 1 SOC analyst and typically
involves more advanced responsibilities.

They are responsible for responding to, analyzing and resolving security incidents that have been escalated from Tier 1 analysts.

They often use specialized tools and techniques to perform forensic investigations, and they may also be responsible for communicating with other teams, such as incident response teams, to coordinate and execute incident response activities.

Question 18

Tier 3 SOC Analysts (IR)

Answer 18

A more advanced role and is considered as a subject matter
expert.

They are responsible for overseeing and managing the overall incident response process, including the analysis and resolution of complex security incidents.

They often lead investigations and collaborate with other teams such as
incident response, forensic, and threat intelligence to gather and analyze data from various sources.

They are often responsible for creating and updating incident response plans, and for reporting on security incidents to senior management.

They also review and improve the incident response process, and work with other teams to address systemic security issues.

Question 19

Incident : IRP when dealing with the ransomware attack

Answer 19

1. Lock down the network- there’s a possibility that other files and devices had been infected:

– Lock down the infected computer,
– Isolate the device,
– Block network traffic using the firewall,
– Disconnect the device from the network or pull the plug out;

2. Disable the ransomware process using anti-malware software which removes crucial files or key files. Hitman pro and mc soft emergency kit can come in handy for this process.
3. Check to see if files are decryptable using ID ransomware which is an open-source tool that tells you if the files are decryptable or not and also the kind of ransomware attack. E.g Jigsaw. Some are not decryptable like spora.
4. Check to see if the Company has auto/manual backups. Restore backup storage and rebuild the machine where necessary.

Question 20

EDR (Endpoint Detection & Response)

Answer 20

Focused on protecting the endpoint, providing in-depth visibility and threat prevention for a particular device.

Question 21

XDR

Answer 21

Takes a wider view, integrating security across endpoints, cloud computing, email, and other solutions.

They are designed to detect and respond to malicious activity across various types of devices, networks, and cloud environments.

Question 22

Types of XDR

Answer 22

Endpoint,
Network,
Cloud,
Email,
IoT;

Question 23

SOAR (Security Orchestration, Automation, and Response)

Answer 23

A technology that helps organizations automate and streamline their security operations.

Used to describe three software capabilities:
– Threat and Vulnerability Management,
– Security incident response,
– Security operations automation.

Having an effective SOAR in place, you’re sure to have optimal security, reducing the tedious 24/7 SOC operations to the barest minimum.