Lesson 17: Performing Incident Response
Flow Collector
A means of recording metadata and statistics about network traffic rather than recording each frame
System and Security Logs (Windows)
Application: Events generated by applications/services Security: Audit events (i.e. Failed logon) System: Events generated by OS and its services (i.e. storage volume health check) Setup: Events generated during OS installation Forwarded: Events that are sent to local log from other hosts
Adversarial AI Attack
Attacker uses his/her own AI resources to manipulate samples and upload to target system. Mostly depend on knowledge of algorithms used by target AI (white box attack), if unknown then its a black box attack
SIEM Correlation and Retention
Correlation means interpreting the relationship b/w individual data points to diagnose incidents of significance to CIRT; Can enact retention policy so historical log and traffic data kept for a certain period Correlation rules assign criticality level: log only, alert, alarm
Application Log Files
DNS Event Logs: log event each time it handles a request to convert b/w a domain name and IP address Web/HTTP Access: log HTTP traffic that encounters and error or traffic that matches predefined rule; common log format (CLF) or W3C format. 400 range - client based errors and 500 range - server based errors VoIP/Call Managers/SIP: Use call manager's access log to audit suspicious connections or SIP logs Dump file: System memory file
Playbook
Data-driven standard operating procedure (SOP) to assist junior analysts in detecting/responding to specific cyberthreat scenarios; starts with a SIEM report and query designed to detect incident and ID the key steps to take. checklist of actions to perform, to detect and respond to a specific type of incident.
Disaster Recovery Plan (DRP)
Disaster is a special class of incident and requires considerable resources and involves wider range of stakeholders
Incident Response
Fits into overall planning for enterprise risk management and cybersecurity resilience
Assess the Incident
Following impact how to allocate resources: Data integrity: often most important, value of data at risk Downtime: degree of business interruption Economic/publicity: financial and reputation costs Scope: not a direct indicator of priority Detection time Recovery Time
Trend Types
Frequency: Establishes a baseline for a metric and if frequency exceeds it, raise an alert Volume: can be done with simple indicators and network traffic Statistical Deviation: Show when a data point should be treated as suspicious (i.e. data point outside of 2 clusters for standard)
Call Manager
Gateway that connects endpoints within the local network and over the Internet
Network Logs
Generated from network appliances and record operation/status of appliance itself
Cyber Incident Response Team (CIRT)
Group comprised of senior management, managers, technicians. For major incidents, can also involve legal team, HR, and marketing. Rotate team to decrease cost of upkeep
Business Continuity Plan (BCP)
Identifies how business processes should deal with both minor and major level disruption
Session Initiation Protocol (SIP)
Identify endpoints to set up calls and use Real Time Protocol (RTP) for actual call content transfer
Incident Containment
Isolation-based: Removing an affected component from the larger environment it is a part of (i.e. black hole, disable account/service, pull network plug) Segmentation-based: Achieving isolation of host(s) using network technologies and architecture (i.e. VLANs, ACLs, routing)
Flow Label and Record
Label: selection of keys Record: traffic matching a flow label
Incident Response Plan (IRP)
Lists the procedures, contacts and resources available to responders for various incident categories
Other Attack Frameworks
MITRE ATT&CK: alternative to kill chain; provide access to database of known TTPs Diamond Model of Intrusion Analysis: analyze an intrusion event by exploring the relationships b/w 4 features (adversary, capability, infrastructure, and victim)
Sensor
Network tap or port mirror that performs packet capture and intrusion detection
Incident Response Process
PICERL Preparation: Make system resilient to attack in the first place (i.e. Hardening, policy/procedure writing, confidential line of communication) Identification: Information in an alert/report, determine whether incident occurred and assess severity, then notify stakeholders Containment: Limit the scope/magnitude of incident; secure data while limiting impact on customer/business partners Eradication: Remove the cause/restore the affected system to a secure state Recovery: Reintegrate system, restore backups, monitor system, etc. Lessons Learned: Analyze incident and responses to ID what can be improved
Incident Identification
Process of collating events and determining whether any of them should be managed as incidents or as possible precursors to an incident.
Trend Analysis
Process of detecting patterns or indicators within a data set over time series and using those patterns to make predictions about future events; can apply to frequency, volume or statistical behavior
Metadata
Properties of data as its created by an application, stored on media or transferred over a network. File: Stored as attributes Web: Resource + header Email: Internal header Mobile: Call detail records (CDR), SMS text info
Network Data Sources
Protocol Analyzer Output Netflow/IPFIX: flow collector, recording metadata and statistics about network traffic sFlow: developed by HP and subsequently adopted as a web standard, uses sampling to measure traffic statistics at any layer of the OSI model for a wide range of protocol types. Bandwidth Monitor
SIEM Dashboard and Sensitivity
Provides a console to work from for day-to-day incident response; Difficult to tune system sensitivity to reduce false positives
Lockheed Kill Chain Phases
RWDECA Reconnaissance: attacker determines what methods to use to complete attack and gathers info Weaponization: attacker couples payload code that will enable access with exploit code using a vulnerability to execute on system Delivery: attacker ID a vector by which to transmit weaponized code Exploitation: weaponized code is executed on system Installation: enable weaponized code to run remote access tool and achieve persistence C2C: weaponized code establishes outbound channel to remote server that can be used to control remote access tool and download additional tools Actions on Objectives: attacker typically uses access to covertly collect info (data exfiltration) or other motive.
Incident Eradication and Recovery
Reconstitution of affected systems: remove malicious tools from system or restore using secure backups Reaudit Security Controls: Ensure controls not vulnerable to another attack Ensure Affected Parties are Notified and provided with means to remediate own systems
Retrospective Network Analysis (RNA)
Recording the full data of every packet; too costly
Communication Plan
Secure communications between members of CIRT: Only communicate to needed members, use end-to-end encryption for messaging (i.e. OTR, WhatsApp, S/MIME, PGP)
Incident Response Policy
Sets the resources/processes/guidelines for dealing with security incidents
Continuity of Operations Plan (COOP)
Similar to BCP; used for government facilities and refers specifically to backup methods of performing mission functions without IT support
Call List
Status and event details circulated on a need-to-know basis and trusted parties on the call list
Incident Response Exercises
Tabletop: Least costly, present a scenario and responders explain actions they would take to identify/contain/eradicate Walkthrough: Present a scenario like tabletop but responders demonstrate actions they would take Simulations: team-based (red and blue); expensive and requires planning
Digital Forensics
Techniques to collect and preserve evidence that demonstrate there has been no tampering/manipulation
First Responder
The appropriate person on CIRT to notify so that they can take charge of the situation and formulate appropriate response
Incident Management
Vital to mitigating risk, controlling immediate/specific threat and preserving reputation
Authentication Logs
Written to security log or servers authorizing logins (i.e. RADIUS and TACACS+ or Windows AD)
Orchestration
action of coordinating multiple automations (and possibly manual activity) to perform a complex, multistep task
Runbook
aims to automate as many stages of the playbook as possible, while leaving clearly defined interaction points for human analysis.
Email Header
contains address information for the recipient and sender, plus details of the servers or message Transfer Agents (MTA) handling transmission of the message between them.
Air Gap
disconnect the host from the network completely (creating an air gap) or disabling its switch port. This is the least stealthy option and may reduce opportunities to analyze the attack or malware due to the isolation.
Data Loss Prevention (DLP)
pertains to protecting sensitive information by mediating the copying of tagged data to restrict it to authorized media and services.
Event Log
records events that occur within an operating system or a software application. These logs diagnose errors and performance problems
Access Log
server applications, such as Apache, which can log each connection or request for a resource.
Logging Platforms
syslog: logs event messages on variety of hosts; comprised of PRI code, header with timestamp + host name, and message part; Port 514/UDP rsyslog: Uses same syntax as syslog but works over TCP and uses secure connection syslog-ng: different syntax but also uses TCP/secure communications journalctl: logs processed from systemd nxlog: open-source log normalization tool; collect windows logs and normalize them to syslog format
Weak Configuration
weak configuration is correctly applied, but exploited anyway. Review of the settings is recommended to ensure the highest level of security
Configuration Change
when malware exploits an undocumented configuration change (shadow IT software or an unauthorized service/port, for instance).
