SEC+ 701 Explain Incident Response & Monitoring Concepts

Chain of Custody

Documentation records where, when, and who collected the evidence, who subsequently handled it, and where it was stored. Establishes the integrity and proper handling of evidence. -When security breaches go to trial, the chain of custody protects an organization against accusations that evidence has either been tampered with or is different than it was when it was collected. Every person in the chain who handles evidence must log the methods and tools they used.

Reporting

A managerial control that provides insight into the status of the security system. -Determining which metrics are most useful in terms of reporting is always very challenging.

Windows Logs

-Application, events generated by application processes, such as when there is a crash, or when an app is installed or removed. -Security, audit events, such as a failed login or access to a file being denied. - System, events generated by the operating system's kernel processes and services, such as when a service or driver cannot start, when a service's startup type is changed, or when the computer shuts down.

Eradication and Recovery

-Eradication process applies mitigation techniques and controls to remove the intrusion tools and unauthorized configuration changes from systems. -When traces of malware, backdoors, and compromised accounts have been eliminated, the recovery process ensures restoration of capabilities and services. Host are fully reconfigured to operate the business workflow they were performing before the incident. -Same attack vector - Ensure affected parties are notified and provided with the means to remediate their own systems.

Event Viewer

Each event has a header reporting the source, level, user, timestamp, category, keywords, and host name.

Incident Response

Effective incident response is governed by formal policies and procedures, setting out roles & responsibilities for an incident response team.

Stakeholder Management

Ensure that parties with privileged information do not release this information to untrusted parties, whether intentionally or inadvertently. - Outcome of preparation activity is a formal incident response plan(IRP). List the procedures, contacts, and resources available to responders for various incident categories.

Impact

Factors affecting the process of determining impact: data integrity, downtime, economic/publicity/ scope/ detection time/ recovery time

Containment

Following detection and analysis, the incident management database should have a record of the event indicators, the nature of the incident, its impact and the investigator responsible for managing the case. The next phase of incident management is to determine an appropriate response.

Recovery Time

For some incidents requires lengthy remediation as the system changes required are complex to implement. This extended recovery period should trigger heightened alertness for continued or new attacks.

Network Logs

Generate by appliances such as routers, firewalls, switches and access points.

System Monitor

Implements the same functionality as a network monitor for a computer host.

Cyber Incident Response Team

Incident response policies should establish clear lines of communication for reporting incidents and notifying affected parties as the management of an incident progresses. -Status and event details should be circulated on a need-to-know basis and only trusted parties identified on a call list. - Team requires an out-of-band communication method that cannot be intercepted.

Digital Forensic Analysis

Involves examining evidence gathered from computer systems and networks to uncover relevant information, such as deleted files, timestamps, user activity, and unauthorized traffic.

Cybersecurity Infrastructure

Is hardware and software tools that facilitate incident detection, digital forensics, and case management. - Incident detection tools provide visibility into the environment. -Digital forensics tools facilitate acquiring and validating data from system memory and file systems. Can be performed just to assist incident response or to prosecute a threat actor.

Acquisition

Is the process of obtaining a forensically clean copy of data from a device seized as evidence. - Any mistake may make evidence gained from the search inadmissible.

Isolation- Based Containment

Isolation involves removing an affected component from whatever larger environment it is part of. -Simple option is to disconnect the host from the network by pulling the network plug (creating an air gap) or disabling its switch port. -If a group of hosts is affected, you could use routing infrastructure to isolate one or more infected virtual LANs (VLANs) in a sinkhole that is not reachable from the rest of the network. - Isolation could also refer to disabling a user account or application service.

Linux Logs

Journald messages are read using the journalctl command, but it can be configured to export some messages to text files via syslog. -/var/log/messages or /var/log/syslog stores all events generated by the system.

Endpoint Log

Likely to refer to events monitored by security software running on the host, rather than by the OS itself. Can include host-based firewalls and intrusion detection, vulnerability scanners, and antivirus/ antimalware protection suites. -Endpoint protection platform (EPP), enhanced detection and response (EDR) or extended detection and response (XDR) -Directly integrated with a SIEM using agent-based software.

Containment

Limit the scope and magnitude of the incident. The principal aim of incident response is to secure data while limiting the immediate impact on customers and business partners. It is also necessary to notify stakeholders and identify other reporting requirements.

Preparation

Makes the system resilient to attack in the first place. Hardening systems, writing policies and procedures, and setting up confidential lines of communication. Implies creating incident response resources and procedures.

Segmentation-Based Containment

Means of achieving the isolation of a host or group of hosts using network technologies and architecture.

E-discovery

Means of filtering the relevant evidence produced from all the data gathered by a forensic examination and storing it in a database in a format such that it can be used as evidence in a trial. E-discovery software tools have been produced to assist this process.

Data Loss Prevention (DLP)

Mediates the copying of tagged data to restrict it to authorized media and services.

Maneuver

Military doctrine term relating to obtaining positional advantage. Ex: might use passive discovery techniques so that threat actors are given no hint that an intrusion has been discovered before the security team has a containment, eradication, and recovery plan.

Data Integrity

Most important factor in prioritizing incidents will often be the value of data that is at risk

Alert Tuning

Necessary to reduce the incidence of false positives.

Log Aggregation

Normalizing data from different sources so that it is consistent and searchable. SIEM software features connectors or plug-ins to interpret (or parse) data from distinct types of system and to account for differences between vendor implementations.

Writer Blocker

Prevents any data on the disk or volume from being changed by filtering write commands at the driver and OS level.

Testing

Procedures and tools used for incident response are difficult to master and execute effectively. Analysts should not be practicing them for the first time in the high-pressure environment of an actual incident.

Lessons Learned Report (LLR)

Process reviews severe security incidents to determine their root cause, whether they were avoidable, and how to avoid them in the future. -Following the meeting, one or more analysts should compile a lessons learned report (LLR) or after-action report (AAR).

Dashboard

Provides a console to work from for day-to-day incident response. Provides a summary of information drawn from the underlying data sources to support some work task.

Syslog

Provides an open format, protocol and server software for logging event messages

Listener/Collector

Rather than installing an agent, hosts can be configured to push log changes to the SIEM server. -Some variant of the Syslog protocol is typically used to forward logs from the appliance to the SIEM.

Logs

Record events as users and software interact with the system. Different log files represent different aspects of system functionality. - Operating system-system specific security logs record audit events. - Authentication events record when users try to sign in and out. - File system events record whether use of permissions to read or modify a file was allowed or denied. Generating a huge amount of data.

Incident Response Lifecycle

Seven step process

Data Source

Something that can be subjected to analysis to discover indicators.

System Memory Acquisition Cont...

Specialist hardware or software tool can capture the contents of memory while the host is running. -Type of tool needs to preinstalled as it requires a kernel mode driver to dump any data of interest.

Application logs

As well as events recorded by the operating system, hosts are also likely to generate application logs, including logs from host-based security software. - An application log file is simply one that is managed by an application rather than the OS.

Retention Policy

Can be enacted by a SIEM, so that historical log and network traffic data is kept for a defined period. Allows for retrospective incident and threat hunting, and can be a valuable source of forensic evidence.

Log Data

Can be kept and analyzed on each host individually, but most organizations require better visibility into data sources and host monitoring. SIEM software can offer a "single pane of glass" view of all network hosts and appliances by collecting and aggregating logs from multiple sources. Logs can be collected via an agent running on each host, or by using syslog( or similar) to forward event data.

Due Process

Can be understood to mean having a set of procedural safeguards to ensure fairness

Network Monitor

Collects data about network infrastructure appliances, such as switches, access points, routers, firewalls. -Data might be collected using the Simple Network Management Protocol (SNMP).

Internet header

Contains address information for the recipient and sender, plus details of the servers handling transmission of the message between them. -Mail user agent (MUA) creates an initial header and forwards the message to a mail delivery agent (MDA) should perform checks that the sender is authorized to issue messages from the domain. -Assuming the email isn't being delivered locally at the same domain, the MDA adds or amends its own header and then transmits the message to a message transfer agent (MTA).

Live Acquisition

Copying the data while the host is still running. May capture more evidence or more data for analysis and reduce the impact on overall services, but the data on the actual disks will have changed, so this method may not produce legally acceptable evidence.

Log Data

Critical resource for investigation security incidents - Event data is generated by processes running on network appliances and general computing hosts. The process typically writes its event data to a specific log file or database. - Each event is comprised of message data and metadata.

Forensics

The practice of collecting evidence from computer systems to a standard that will be accepted in a court of law. Forensics investigation are most likely to be launched to prosecute crimes arising from insider threats, notably fraud or misuse of equipment. - Like DNA or fingerprints, digital evidence is latent. Latent means that the evidence cannot be seen with the naked eye; rather, it must be interpreted using a machine or process.

Detection

The process of correlating events from network and system data sources and determining whether they are indicators of an incident. - Provide an option for confidential reporting so that employees are not afraid to report insider threats such as fraud or misconduct. - When suspicious event is detected, critical that the appropriate person on the CIRT be notified so that they can take charge of the situation and formulate the appropriate response. (First responder)

Cybersecurity Infrastructure cont..

This functionality is often implemented as a single product suite. Tools such as security information and event management (SIEM) and security orchestration , automation and response (SOAR) provision alerting and monitoring dashboards to fully manage the steps in incident response.

Firewall logging

Used when testing a new rule or only enabled for high-impact rules. -Firewall audit event will record a date/timestamp., the interface on which the rule was triggered, whether the rule matched incoming/ongress or outgoing/ egress traffic , and whether the packet was accepted or dropped.

Threat Hunting

Utilizes insights gained from threat intelligence to proactively discover whether there is evidence of TTPs already present within the network or system. This contrasts with a reactive process that is only triggered when alert conditions are reported through an incident management system. - Labor-intensive activity and so needs to be performed with clear goals and resources.

Testing and Training

Validate the preparation process and show that the organization as a whole is ready to perform incident response.

Preservation

Video recording the whole process of evidence acquisition establishes the provenance of the evidence as deriving directly from the crime scene.

System Memory Acquisition

Volatile data held in Random Access Memory (RAM) modules. -Volatile means that the data is lost when power is removed.

System Memory Dump

creates an image file that can be analyzed to identify the processes that are running, the contents of temporary file systems, registry data, network connections, cryptographic keys, and more. It can also be a means of accessing data that is encrypted when stored on a mass storage device

GUI imaging utilities

including those packaged with forensic suites. - No specialist tool is available, on a Linux host, the dd command makes a copy of an input file, to an output file

macOS Logs

macOS uses a unified logging system, which can be accessed via the graphical. Console app, or the log command.

Intelligence Fusion

threat hunting can be performed by manual analysis of network and log data, but this is a very lengthy process. An organization with a security information and event management (SIEM) and threat analytics platform can apply intelligence fusion techniques. -TTP and indicator threat data feed

Digital forensics reporting

Summarizes the significant contents of the digital data and the conclusions from the investigator's analysis. It is important to note that strong ethical principles must guide forensics analysis - Analysis must be performed without bias. Conclusions and opinions should be formed only from the direct evidence under analysis - Analysis methods must be repeatable by third-parties with access to the same evidence. -Ideally, the evidence must not be changed or manipulated. If a device used as evidence must be manipulated to facilitate analysis (disabling the lock feature of a mobile phone or preventing a remote wipe) the reasons for doing so must be sound and the process of doing so must be recorded.

Simulations

Team-based exercise, where the red team attempts an intrusion, the blue team operates response and recovery controls, and a white team moderates and evaluates the exercise. This type of training requires considerable investment and planning.

Downtime

The degree to which an incident disrupts business processes, another very important factor. An incident disrupts business processes, another very important factor. An incident can either degrade (reduce performance) or interrupt (completely stop) the availability of an asset, system or business process.

Root cause analysis

The effort to determine how the incident was able to occur.

Tabletop exercise

The least costly type of testing. The facilitator presents a scenario, and the responders explain what action they would take to identify, contain and eradicate the threat.

Netflow

A Cisco-developed means of reporting network flow information to a structured database. -Has been redeveloped as the IP Flow information Export (IPFIX) IETF standard. A particular traffic flow can be defined by packets sharing the same characteristics, referred to as keys. -Selection of keys is called a flow label, while traffic matching a flow label is called a flow record. -Flow label is defined by packets that share the same key characteristics, such as IP source and destination addresses and protocol type. -Five bits of information are referred to as a 5-tuple. A 7-tuble adds the input interface and IP type of service data. Each exporter caches data for newly seen flows and sets a timer to determine flow expiration. When a flow expires or becomes inactive, the exporter transmits the data to a collector.

Incident

A cybersecurity incident refers to either a successful or attempted violation of the security properties of an asset, compromising its confidentiality, integrity, or availability.

Walkthroughs

A facilitator presents the scenario as for a tabletop exercise, but the incident responders demonstrate what actions they would take in response.

Lessons Learned

Analyzes the incident and responses to identify whether procedures or systems could be improved. It is imperative to document the incident. Outputs from this phase feedback into a new preparation phase in the cycle.

Machine Learning (ML)

Able to reapidly analyze the sort of data sets produced by SIEM. It can be used to monitor how analysts are responding to alerts, and attempt to automatically tune the ruleset in a way that reduces false negatives without impacting true positives.

Analysis

After the detection process reports one or more indicators, in the analysis process, the first responder investigates the data to determine whether a genuine incident has been identified and what level of priority it should be assigned.

Alerting

Alert response and remediation steps will often be guided by a playbook that assists the analyst with applying all incident response processes for a given scenario. One of the advantages of SIEM and advanced security orchestration, authorization and reporting (SOAR) solutions is to fully or partially automate validation & remediation.

Security Content Automation Protocol (SCAP)

Allows compatible scanners to determine whether a computer meets a configuration baseline.

Data Acquisition

Also complicated by the fact that it is more difficult to capture evidence from a digital crime scene than it is from a physical one. -Acquisition usually proceeds by using a tool to make an image from the data held on the target device. -Volatile or nonvolatile storage. General principle is to capture evidence in the order of volatility. 1. CPU registers and cache memory (including cache on disk controllers, graphics cards and so on) 2. Contents of nonpersistent system memory (RAM), including routing table, ARP cache, process table, kernel statistics. 3. Data on persistent mass storage devices (HDDs, SSDs, and flash memory devices)

Open Vulnerability and Assessment Language (OVAL)

An XML schema for describing system security state and querying vulnerability reports and information.

Extensible Configuration Checklist Description Format (XCCDF)

An XML schema for developing and auditing best practice configuration checklists and rules. Previousl, best practice guides might have been written in prose for systems administrators to apply manually. XCCDF provides a machine-readable format that can be applied and validating using compatible software.

IPS/IDS Log

An event when a traffic pattern is matched to a rule.

Economic/Publicity

Both data integrity and downtime have important economic effects in the short term and the long term. Short-term costs involve incident response and lost business opportunities. Long-term economic costs may involve damage to reputation and market standing.

Detection time

Breaches go for weeks or months after intrusion without being detected. Successful intrusion data is typically breached w/in minutes. Systems used to search for intrusions must be thorough and the response to detection must be fast.

Scope

Broadly the number of systems affected, not a direct indicator of priority. A large number of systems might be infected with a type of malware that degrades performance but is not a data breach risk. Might be a masking attack as the adversary seeks to compromise data on a single database server storing top secret information .

Playbook

Data-driven standard operating procedure(SOP) to assist analysts in detecting and responding to specific cyber threat scenarios. The playbook starts with a report from an alert dashboard. Then leads the analyst through the analysis, containment, eradication, recovery, and lessons learned steps to take. - The CIRT should develop profiles or scenarios of typical incidents, such as DDoS attacks, virus/worm outbreaks, data exfiltration by an external adversary, data modification by an internal adversary, and so on. This guides investigators in determining priorities and remediation plans.

Incident Analysis

Depends on threat intelligence. This research provides insight into adversary tactics, techniques, and procedures (TTPs). Insights from threat research can be used to develop specific tools and playbooks to deal with event scenarios.

Endpoint Protection Platform (EPP) or Next-gen A-V

Detect malware by signature regardless of type, though detection rates can vary quite widely from product to product. - Many suites also integrate w/ user and entity behavior analytic (UEBA) and use AI-backed analysis to detect threat actor behavior that has bypassed malware signature matching. - Antivirus will usually be configured to block a detected threat automatically.

Analysis

Determines whether an incident has taken place and perform triage to assess how severe it might be from the data reported as indicators.

Static Acquisition by Pulling the Plug

Disconnecting the power at the wall socket -Forensically clean state

Detection

Discovers indicators of threat actor activity. Indicators that an incident may have occurred might be generated from an automated intrusion system. Alternatively, incidents might be manually detected through threat hunting operations or be reported by employees, customers, or law enforcement.

Packet Analysis

Refers to dep-down, frame-by-frame security of captured traffic using a tool such as Wireshark. - Analyzer decodes the packet to show the header fields at data link/MAC, network/IP, and transport (TCP/UDP) layers.

Legal Hold

Refers to the fact that information that may be relevant to a court case must be preserved.

Recovery

Reintegrates the system into the business process it supports with the cause of the incident eradicated. This recovery phase may involve the restoration of data from backup and security testing.

Eradication

Removes the cause and restores the affected system to a secure state by applying secure configuration settings and installing patches once the incident is contained.

Static Acquisition by shutting down the Host

Runs the risk that the malware will detect the shutdown process and perform anti-forensics to try to remove traces of itself.