Ch. 22 - Incident Response (Notes)
Diamond model of intrusion analysis
A cognitive model used by the threat intelligence community to describe a specific event.
MITRE ATT&CK Framework
A comprehensive matrix of attack elements, including the tactics and techniques used by attackers on a system.
what does NIST stand for?
National Institute of Standards and Technology
simulations
Proximations of the operation of a process or system that are designed to represent the actual system operations over a period of time
What does SOAR stand for?
Security Orchestration, Automation, Response
What is SOAR used for?
Seeks to alleviate the strain on IT teams by incorporating automated responses to a variety of events.
What are some foundations of Incident Response?
- confirm or dispel incident: ground truth - establish controls for evidence - protect privacy rights - allow for legal/ civil recourse
What are the two major elements that plat a role in determining the level of response?
- information criticality - business decisions on how the incident plays into current business operations
What is the cyber kill chain? (7 steps)
1. Reconnaissance 2. Weaponization 3. Delivery 4. Exploitation 5. Installation 6. Command & Control 7. Action & Objective
what does CIRT stand for?
Computer Incident Response Team
Who are the adversaries in the attack diamond model?
Hactivists, Cybercriminal, APT
What are the infrastructures in the attack diamond model?
IP addresses, Domain Names, & E-mail Addresses
What is Threat Hunting?
Iterative process of proactively searching out threats inside the network.
log files
a primary source of information during an investigation
What is a Computer Incident Response Team?
a team that is responsible for dealing with major security incidents
incident response
a term used to describe the steps an organization performs in response to any situation determined to be abnormal in the operation of a computer system
What is Threat Intelligence?
actionable information about malicious actors, their tools, infrastructure, and methods.
Walkthroughs
actual steps that take place associated with a process, procedure, or event are examined
Who are the victims in the attack diamond model?
customer data, intellectual property, & critical infrastructure
metadata
data about data
What is an incident response plan?
documentation associated with the steps an organization performs in response to any situation determined to be abnormal in the operation of a computer system
________ act as a historical record of what happened on a system
log files
tabletop
participants walk through all the steps of a process, ensuring all elements are covered
National Institute of Standards and Technology
produces a wide range of Special Publications (SPs) in the area of computer security
Attack frameworks
provide a roadmap of types and sequence of actions used when attacking a system
file metadata comes in two flavors:
system and application
What are the capabilities in the attack diamond model?
tactics, tools, techniques, & procedures
stakeholders
the parties that have an interest in a process or the outcome of a process
incident management
the process responsible for managing how incidents are identified and corrected
