Module 07- Incident Response in Cloud - Part 2

in Azure _______ is a security management system that helps prevent, identify, and respond to threats by offering a greater control over and enhanced visibility into Azure resources.

Azure Security Center (ASC) it helps incident responders detect and respond to incidents easily with its security alerts feature ASC's threat protection feature includes fusion kill-chain analysis, which helps better understand the origin of an attack and its impact on an organization's resources.

What is one why to ensure and know that security controls implemented function as expected ??

Simulation and Testing Simulating the occurred events helps determine if the established security controls and processes are reacting as expected

Azure IR lifecycle

Stage 1: Preparation - adopt standard processes for IR - Setup Incident Notification in ASC Stage 2: Detection and Analysis - generate high-quality alerts - Investigate potential Incident and eliminate false positives - Prioritize Incidents based on their alert severity and asset sensitivity. Stage 4-5: Containment, Eradication, and Recovery: Automate Incident Handling Speed up the response time and offload the burden from analysts by automating repetitive tasks.

Infrastructure domain incidents are those that affect the data or network activities. E.g traffic to the EC2 instance in the VPC, data on EC2 instances or containers,

Steps to Address Infrastructure Domain Incidents. E.g Security anomaly has occurred in an EC2 instance. - Capture EC2 instance Metadata - Protect the Instance from accidental termination by enabling termination protection. - Isolate the Instance using NACL or VPC security group - Detach EC2 Instance from auto-scaling group - Take snapshots of the EBS data volumes connected to EC2 instance - Tag EC2 Instance as quarantined for investigation Create new EBS volumes using the snapshots and attach to EC2 instance forensics for an in-depth analysis.

_________________ Exercise is conducted in collaboration with an external legal counsel to discuss the non-technical aspects of IR.

Tabletop Exercise tabletop exercise is conducted with all IR team members to test how they respond to press, customers, and regulators following security incidents

_______________ is used to logically organize Azure resources, resource groups, and subscriptions into a taxonomy

Tags Tags consist of a pair of a name and a value

AWS Incident Response Plan: Iterate

- A simulation also provides feedback to the organization on whether things are working as expected. - simulation outcomes improve the security response. This will also improve agility through incremental improvements/ enhance the existing procedures or create new procedures

AWS Investigation and Detection: Third-party Tools

- AWS IR -: A CLI tool for handling IR - Incident Pony -: A case and IR management tool - Arkime -: open source packet capture tool - Wireshark -: a deep network analyzer tool - Mandiant -: MSIR (Manage provider for forensic & IR solution ) - Encase Endpoint investigator: digital forensic investigation tool - FTK imager -: tool for collecting data evidence - Linux Memory Extractor (LiME) -: tool for capuring volatile memory from linux device - Margarita Shotgun: a tool used to capture memory from running Linux Instance

AWS Automating Response Serive list 5

- AWS Lambda - AWS Step Functions - Auto Remediation with AWS Config Rules - SSM Agent - AWS Fargate - Amazon EC2. >>>>NB: Use a central account to perform all detection and remediation steps for an organization. Events per second (EPS) metric is used for estimating the cost. - high EPS = high price for sending the events to centralized accounts.

types of container threat detectors

- Added Binary Executed: The added binary executed detector searches for an executed binary that was not included in the original container image. - Added Library Loaded: The added library loaded detector searches for a binary that is being executed but was not included in the original container image. Reverse Shell: The reverse shell detector searches for stream redirections to a remote-controlled socket.

List 6 AWS Investigation and Detection Service tools; These Tools can be used to responding to an incident in AWS

- Amazon GuardDuty -> threat detection service - Amazon Macie -> data security service for identifying, classify and protecting sensitive data - Amazon Inspector -> security assessment service - AWS Lambda -> serverless compute service that runs code to responses to security events - Amazon Detective -> investigate the cause of security event or suspicious activities - Amazon Security Hub -> provides central view of the security alerts across the AWS account

List 2 Azure services used to automate IR lifecylce process

- Azure Sentinel - Azure Security Center (ASC)

List 2 Azure services used to automate IR lifecylce process ?

- Azure Sentinel - Azure Security Center (ASC) ASC data connector => Streaming alerts to Azure Sentinel = automatically generating incidents

design goals relevant to incident response in cloud

- Build Response Objectives: IR should work with other team to understand incidence response - Respond to Events: Implement the response patterns where the event and data occur. - Preserve Evidence: Preserve logs, snapshots, and any other important evidence - Adopt Redeployment Techniques: Resolve through a redeployment with an appropriate configuration if a security anomaly is caused by a misconfiguration - Implement Automation: implement automation mechanisms for frequently repeated incidents and issues - Choose Scalable Solutions: match the scalability approach adopted by the organization to cloud computing. - Improve the Process: Improve the process, tools, and people to fix any gaps. Use simulations to achieve this.

Methods to Reduce Unknown Risks in Cloud

- Define Security Assertions - Educate the Team - Reduce the Attack Surface - Threat Intelligence - Set alert notification - Leverage machine learning

CAF - Security Perspective Components

- Directive Controls: Set-up GRC models - Preventive Controls: secure workloads to help minimize vulnerabilities and threats - Detective Controls: provide a complete visibility into the AWS deployment operations. - Responsive Controls: remediate the potential deviations from security baselines.

Azure IR - Detection and Analysis

- Ensure high-quality alerts are generated and measure their quality for a comparison with the previous incidents - ASC provides high-quality alerts across multiple assets in Azure. - Use export feature to export ASC recommendations and alerts to detect risks to Azure resources

Azure IR - Detection and Analysis -I

- Ensure high-quality alerts are generated and measure their quality for a comparison with the previous incidents - ASC provides high-quality alerts across multiple assets in Azure. - Use export feature to export ASC recommendations and alerts to detect risks to Azure resources

GCP IR Steps

- Identification: Detection & Reporting - Coordination : Triage & Engage Response team - Resolution : Investigation, Communication, Containment & Recovery - Closure: Lesson Leaned - Continuous improvement : Program Development & Prevention

Simulation Steps

- Identify a high-priority issue - Find a builder and tester for developing effective simulations. - build realistic simulations so that all participants will value them. - Build simulation materials such as potential runbooks, email alerts, and logging artifacts. - Invite all individuals who have a role in the simulations. e.g legal counsel - Run the Simulation - Measure the performance, and improve and repeat the subsequent simulations.

Organizations with an IRP should do the following:

- Identify the indicators of security incidents - Classify the incident types - Identify the cause of an incident to respond to it - Understand the incident response workflows - Prepare for incidents

AWS CAF security perspective

- Identity and Access management (IAM) - Detective controls to enhenace transparency and visible to AWS OPs - Enhance Infrastructure security controls - Data protection - Enhance Incidence response to reduce the damage after a security incident. With an automated incident response and recovery in place, the security team can shift its focus from response to forensics and root cause analysis

incident response team @ google

- Incident Commander : head of a team - Communications Lead : manages the communications related to an incident. - Operations Lead : manages the response and remediation - Subject Matter Experts: experts from different fields based on the incident type. They are involved in different domains such as security and privacy, legal, product, support, digital forensics, signals detection, and global investigations.

Indicators of Cloud Security Events

- Logs and Monitors: logs of various AWS services, such as VPC Flow logs, S3 access logs, and CloudTrail logs. AWS monitoring services such as GuardDuty, Security Hub, Detective, and Macie. - sudden decrease or increase Billing Activity - correlate generated logs with Threat Intelligence 3rd party tools - Adopt AWS APN Partner Tools - One-time Contact: utilize well-defined method to contact the security team. security events may be identified by users, customers, developers, or other organization staff. - AWS Support: The AWS support team will contact the cloud customers upon identifying any malicious activity. AWS security incidents tools using - Amazon Detective - Amazon Athena - Amazon CloudWatch Events - Event Bus rules.

Cloud Provider Support AWS managed services provides the management of infrastructure so that the cloud customers can focus on their applications.

- Management such as Common activities such as monitoring, security, change requests, backup services, and patch management are automated. - In the case of an alert, AWS managed services (AMS) follow a set of manual and automated runbooks to initiate a response - support plans offer 24/7 access to AWS account, whitepapers, documentation, blogs, and support forums. - AWS Support provides DDoS Response Support - AWS Support Escalation Path for situations that require an escalation

Prepare process - IRP >>>>>> Once a proper access is provisioned and tested, an incident response (IR) team should develop the remediation and investigation processes

- Prepare runbook both manual and automated to help IR team respond to incident quickly - Prepare IR Team Access creds to AWS Accounts: Document the authentication and authorization of the team and test them before an incident occurs. - A decision tree helps in decision making and identifying actions and outcomes, depending on the required conditions and inputs. - Though it is essential to respond to security events in an AWS account, it is better to investigate the data outside the affected account. - Incident responders must have access to logs for analysis and should be able to view and copy the data. - Allow sharing of the snapshots with other AWS accounts for investigating the security events in AWS EC2 instances - Amazon CloudWatch logs can be shared with another account using CloudWatch Logs subscription - When logs and other important evidence are copied to another AWS account, the replicated data should also be protected (Configure the S3 bucket to protect the integrity of data stored enabling MFA, configuring S3 versioning, and managing access permission with the bucket policies) - Once the investigation is completed, use object lifecycle policies to move the collected data from Amazon S3 to S3 Glacier for a long-term storage. - Use S3 Glacier Vault Lock to protect the data in S3 Glacier. - customized forensic workstation for mounting copies of the affected data volumes.

Azure IR Best Practices

- Prepare the analysts and update IR processes for responding to security incidents on Azure. - Security professionals should quickly and effectively respond to the attacks as they may cause an immediate risk or damage to the organization, making the situation difficult to control. - Security operations typically manage the incident response process with support from other groups for improved knowledge and expertise - Ensure to updation and prepare the team on the approach to be followed on finding an active attacker. - Key Focus Area * Shared Responsibility Model and Cloud Architectures * Endpoint Data Sources * Network and Identity Data Sources: develop a deep understanding of cloud identity protocols to get visibility into attacker activity * Practice Exercises: Conduct exercises involving simulated attacks and responses because they help verify the organizational readiness to handle incidents.

Types of Security Alert

- True positive: suspicious activity - Benign positive: suspicious but expected activity - False positive: incorrect alert logic - False positive: incorrect data - Undetermined

Set Up Incident Notification in Azure

- connect Orgs Microsoft Security Response Center (MSRC) to detects any unauthorized data access attempt to contact in Azure Security Center - This helps review incidents to resolve them. - in ASC, high-severity alert is triggered by default and sent to subscribers email - email notification preferences can be changed on ASC's email notification settings page

Azure Security Center Feature

- it provides incident-related artifacts and information during investigations to understand threats or anomalies - It generates an alert on detecting threats to an organization's resources, classifies alerts based on their severity - provides the additional details required for a further investigation. ASC features - Streamlined Threat Investigation - It displays the security state of resources, detects threats and vulnerabilities, and recommends mitigations by gathering data from different sources - It gathers and secures security-related data (metadata, configuration information, event logs, etc.) - recommends policies and actions to be necessarily implemented for preventing threats. - automatically triggers incident responses via Logic Apps on security recommendations and alerts for securing Azure resources.

About Security Command Center (SCC)

- security and risk management platform - provides dashboard-based analytics for detecting and responding to security risks in GCP - provides a unified dashboard to prevent, identify, and respond to threats in a Google Cloud environment - It provides real-time alerts for vulnerabilities and threats along with their remediation measures - It can be used only by a user with a security center IAM role - It helps in monitoring the organization's security state for a specified time and the assets that have changed over time.

Security incidents mainly occur in three domains in AWS. LIST THEM ?

- service domain incident - infrastructure domain incident - application domain incident

AWS Incident Detection and Response Capabilities

1. AWS Service for Investigating security events - Amazon CloudWatch logs - AWS CloudTrail logs - Amazon S3 access logs 2. AWS centralized logging solution AWS logs can be consolidated and stored in Amazon S3 and use Amazon Athena to query the logs. 3. Use AWS partner products to simplify the analysis of logs or APN Security Competency program Get valuable insights into security log data using AWS services such as - Amazon GuardDuty - AWS Security Hub.

AWS CAF Capabilities Complete these: PSO 1. Business => 2. People => 3. Governance =>

1. Business => PLATFORM 2. PEOPLE => SECURITY 3. Governance => OPERATION leading to Directive, Preventive, Detective and Responsive

Features of Google Cloud Operations Suite

1. Cloud Logging: Logs Explorer, a storage for logs, and an API to manage the logs 2. Cloud Monitoring: Cloud Monitoring helps analyze whether the services hosted in GCP are healthy, whether a service loads, and whether they are performing well * different types - Black Box Monitoring: does not reveal any information regarding the internals. - White Box Monitoring : monitor only specific services - Gray Box Monitoring : present state of the service environment is collected. 3. Cloud Profiler can collect the information regarding the CPU usage and memory allocation of applications deployed in GCP.

Types of Incidents in Cloud

1. Compliance Variance: An incidents that violates compliance policies. 2. Service Disruption: An Incidents due to Unavailability to access cloud resources 3. Unauthorized Resources: An Incident involving creation of unauthorized resources 4. Unauthorized Access: An Incident involving unauthorized access to cloud resource via an unauthorized user, IP address, or system 5. Privilege Escalation: An Incident leading to elevation of access permission to cloud resource 6. Persistence: An Incident leading to maintaining access mechanism to compromised account 7. Excessive Permissions: An Incident due to Overpermissive permission 8. Information Exposure: It refers to an unauthorized access to critical or sensitive data. 9. Credential Exposure: It refers to an unauthorized access to AWS credentials.

AWS IRP Implementation in 4 Steps => EPSI

1. Educate - train IR team on AWS technology 2. Prepare - detect and respond to the incidents. 3. Simulate - simulate the expected and unexpected security events 4. Iterate - iterate the outcome of the simulation to improve the response posture and reduce the risk and time for evaluation.

Life Cycle of an Incident

1. Incident Detection using internal detection and black box monitoring of external behavior to detect incidents. 2. Initial Response The Google customer care team communicates with the customer if an incident is detected. 3. Investigation 4. Mitigation/Fix 5. Follow Up 6. Post-mortem 7. Incident Report Google provides incident reports, which explains the reason, remediation, and prevention of such major incidents.

window of response, which consists of four quadrants. Between Orgs IR team AND APN

1. Obvious: incidents that both the incident response team and APN partner are aware of 2. Blink spot : incidents that the APN partner is familiar with, but not the response team 3. Internaly Known : incidents that the team is familiar with, but not the APN partner. 4. Unkown : incidents unknown to both the team and APN partner.

Azure IR -- Preparation - Ensure processes are in place for responding to security incidents - update and test these processes regularly to ensure their readiness - Build/update an enterprise IR plan across (Technology, Operations, Legal, Communication)

=> General Preparation - Identify critically important high-value assets (HVAs) such as servers, data files, and applications. - Ensure the scripts/installers can be executed rapidly on all endpoints for a recovery - Ensure skilled individuals in the team to detect advanced attackers => Investigation Preparation - Ensure required skills and tools to investigate targeted attacks - Track and Analyze the Cost to Responding to incidents => Recovery Preparation - Ensure you have the required backup and recovery capabilities for critical data. - Document procedures that are often used during security incidents e.g Network isolation and segregation procedures

AWS Incident Response Plan: Automate

=> Incident Response Automation helps the organization spend more time on improving the security of the AWS cloud environment through the use of AWS APIs and tools => Automate software development methods, identity management, network security, and data protection.

____________________ is used in IR and consist of documented organization procedures for performing tasks during a security incident

A runbook A runbook can be digital copy or printed copies. NB: Before creating runbooks, focus on the currently generated alerts by investigating them. After determining the best solution, the logic can be deconstructed into a code-based solution and used as a tool to automate the response. Potential mistakes are possible if you manually follow the written runbooks >>> It is recommended to automate all repetitive tasks. >>> Automation uses functions to process repetitive and normal alerts, enabling the team to handle sensitive and severe incidents.

Instead of using SSH or RDP to connect to the instance, the IR team should use __________________ ???

AWS Systems Manager (SSM) Use SSM to Rrun Command helps the responder make changes securely and remotely by running Linux shell scripts or Windows PowerShell commands on the instance.

In AWS ______________ Framework helps cloud consumers implement appropriate security controls while planning to migrate to the cloud ?

AWS cloud adoption framework (CAF) AWS CAF helps cloud consumers implement appropriate security controls in their organization

A successful IRP (Incident Response Plan) involves capabilities and remediation methods put in place before an incident occurs.

An IRP - defines the incidents - roles of security teams - tools for handling breaches - required steps to be taken for handling a security incident - how such incidents should be investigated and communicated.

benefits of an IRP

An IRP in place helps - Maintain trust and reputation of their customers. - Maintain Investors and shareholders trust after a data breach - safeguards the organization from a potential loss of revenue. >>>>>>>> The faster an organization detects and responds to a data breach, the less likely it is to impact data, company revenue, customer trust, and its reputation.

Offline Investigation the instance will be immediately shut down.

An online investigation is performed to keep the instance running. The incidence response team can choose an online investigation if they need to copy unstable evidence such as network traffic from the host operating system. Capture Volatile Data Use the IAM service for tasks on the EC2 instance. - Using SSH or RDP to Access EC2 is not a best practice. Using an automation tool is recommended to perform tasks on the instance.

Security incidents in _______________ domain involves Incidents found in an application code, or in a software deployed for the infrastructure or services

Application domain - Application domain incidents should be included in runbooks and cloud threat detection - incidents can be handled using cloud tools, automated recovery, deployment, and forensics.

________ is a cloud-native SOAR and SIEM tool that provides threat visibility, alert detection, and threat response on Azure.

Azure Sentinel It use Microsoft's threat intelligence and any other third-party threat intelligence to detect and respond to threats. Its investigation tools help find the root cause of an incident. Azure Sentinel IR features - It detects previously undetected threats and minimizes false positives - investigate threats using artificial intelligence. - It collects cloud data of devices, users, infrastructure, and applications (both on cloud and on-premises). - respond to incidents using its built-in orchestration and automation.

________ a built-in service in SCC, displays the information on security abnormalities detected across GCP projects. Security anomalies include credential leakage, crypto mining, intrusion attempts, etc.

Cloud Anomaly Detection- built-in service in SCC

In GCP ________________ helps meet your specific compliance requirements by allowing you to understand and manage critical data. It prevents the disclosure of sensitive information, such as credit card numbers, names, social security numbers and GCP credentials, by offering scalability and fast information classification and redaction. Cloud DLP scans storage buckets, folders, and objects containing sensitive data to meet the security compliance requirements.

Cloud Data Loss Prevention (DLP) Cloud DLP manages sensitive information and personally identifiable information (PII).

In GCP the container images are monitored by ______________________, a built-in service to detect run-time attacks and their related alerts

Container Threat Detection - built-in service in SCC

Which is the right method to grant access to IR Team A. Indirect Access: it is a complex and slower process. B. Direct Access using IAM role C. Alternative Access using a new AWS account D. Automation Access using IAM roles + SSM E. Managed Services Access: AWS managed service or a managed services partner (shared responsibility btw CSP & CSC)

E. Managed Services Access: AWS managed service or a managed services partner (shared responsibility btw CSP & CSC) AWS managed services reduce the operational overhead of customers by using best practices to maintain the infrastructure. It automates common activities such as patch management, monitoring, security, change requests, and backup services. In addition, it offers full lifecycle services for provisioning, running, and supporting the organization's infrastructure.

In GCP _________________ performs a real-time monitoring of an organization's Cloud Logging logs and detect threats by applying a detection logic, threat intelligence, and information from the logs. It can detect crypto mining, malware, brute-force SSH attacks, ongoing DoS attacks, etc.

Event threat Detection - built-in service in SCC

The process of handling incidents manually may result in alert _________. which, in turn, will increase the chances of human errors and lead to delays. Moreover, the chances of losing focus on complex tasks will increase, which may degrade the ability of analysts to respond to incidents.

Fatigue Speed up the incident response time and reduce the burden on analysts by automating repetitive manual tasks

_______________incident response (IR) program includes - actions - escalations - mitigations - resolutions - notifications of incidents to ensure CIA.

GCP Google IR program offers - latest techniques to resolve incidents efficiently. - It detects and mitigates incidents using ML, monitoring systems, data analytics services - subject matter experts (SMEs) who can be deployed for responding to any type or size of data incident. - notifies the affected customers in accordance with the service terms and agreements.

IR phase is the same with AWS and GCP (P-DA-CER-P) but different in GCP

GCP IR include (ICRCC) - identification - coordination - resolution - closure - continuous improvement

_________________ Service is used to monitor GCP cloud environment by creating logs, metrics, and alerts on security incidents. Filters can be applied to the logs and alerts to investigate a particular incident.

GCP operations suite

GCP IR - Identification

GCP provides tools, signals, and alert mechanisms for an early incident detection. - Automated Logs Analysis - Testing: The security team of Google performs penetration tests, intrusion detection tests - Internal Code Reviews: Verification of the source code helps detect any hidden vulnerabilities - Product Specific Tools: Product-level incidents can be detected by domain-specific automated tools. - Anomaly Detection: To differentiate between legitimate and malicious activities using machine learning systems - Vulnerability Rewards Programs: Google offers vulnerability rewards programs where security researchers can report any vulnerabilities

___________ Cloud service is equipped with automated features and manual configurations to detect and prevent DDoS attacks and other Top-10 OWASP risks on the application.

Google Cloud Armor

In GCP __________ service is used to inform a user about the security issues in GCP applications. Alerting policies can be defined for the circumstances under which an alert is to be generated

Google Cloud Monitoring alerts An incident is a record of the alerting policy trigger. When the conditions of an alerting policy are satisfied, an incident is recorded by Cloud Monitoring. The incidents can be in three states: - Open: Open status indicates the alerting policy conditions are satisfied - Acknowledged: Acknowledged indicates that an incident is open and under investigation. - Closed: Closed status indicates the policy condition has been terminated

_________________ GCP service is used display any service availability issues. ANd also lists incidents that affect multiple users. The incidents are marked as a disruption or an outage based on their severity.

Google Cloud Status Dashboard The alerts on the Google Cloud Status Dashboard incidents can be received by subscribing to the Google Groups associated with certain services.

GCP IR - Coordination

Google IR start after on-call responder reviews the incident type to be data incident. triage assessment, severity assessment, and informing the incident response team to analyze the areas that require an investigation

GCP IR - Continuous Improvement

Google improves the overall security posture by analyzing previous incidents and deploying measures to prevent future incidents - Machine learning methods are employed for analyzing malicious activities, responding to threats, and conducting security audits. - Google conducts security awareness campaigns, and incident response procedures are tested on systems that store sensitive information. Project Zero team of Google reports bugs to software providers, which helps prevent attacks

_____________ Method is a powerful way to capture the memory on an EC2 instance as it does not depend on other services. It supports both automation and repeatable processes

Hibernation An instance can be hibernated to create a copy to the EBS volume. Pre-planning is necessary for hibernation because only certain operating systems and instance types support it.

During a security incident, the incident response (IR) team faces several problems and may fail to follow a proper incident response procedure to reduce the damage. Therefore, an IRP should be prepared in advance to prevent any damage to reputation adverse business impact. HOW??

IR Team should - develop IR runbooks/playbook -build an incident response library to iterate and improve the incidence response accordingly.

AWS Incident Response Plan AWS CSP => responsible for handling the security of the cloud User CSC => responsible for handling the security in the cloud

Incident response in AWS is a method of handling security issues or incidents, data breaches, and cyberthreats. An effective incident response plan (IRP) allows the customers to efficiently identify, handle, and minimize the damage, and find and fix the cause.

A Security incidents in _______________ domain includes the processes that run on the EC2 instance and the traffic to the instance; network-related activities or application data.

Infrastructure Domain - Incident is handled using AWS APIs along with a digital forensic/incident response software. - Such incidents may involve an analysis of the Amazon EBS volume's disk blocks, network packet captures, or volatile memory.

Azure IR - Detection and Analysis -II intelligence on an incident can be associated with tracking and reporting. To manage the entire lifecycle of incidents, Azure Sentinel provides extensive data analytics capabilities.

Investigate an Incident - Track the activities of a potential attacker by collecting different types of logs to avoide blind spots Prioritize Incidents based on the alert sensitivity and severity - Azure resources' criticality - The environment where the incident has occurred data sources to investigate an incident with Azure Sentinel: - Network Data: Capture network flow logs and other analytics using Azure Monitor and Network Watcher. - Snapshots of Running (Live) Systems e.g Azure VMs, memory dump

NOTE

Investigate an Incident - Track the activities of a potential attacker by collecting different types of logs to avoide blind spots data sources to investigate an incident with Azure Sentinel: - Network Data: Capture network flow logs and other analytics using Azure Monitor and Network Watcher. - Snapshots of Running (Live) Systems e.g Azure VMs, memory dump

Azure IR -- Preparation

Operation - Adapt ICS (incident command system) for Crisis Management in natural disasters and security incidents - Have a framework that specifies the IR program. - Ensure a recurring schedule for testing crisis processes and teams Legal - Legal advisors provide legal advice on contractual, statutory, and regulatory duties. Communications - communications involves actions that organizations take to remediate and investigate security incidents - it includes hiring forensics experts and notifying law enforcement to help investigate an incident along with any other general steps for its remediation.

AWS IRP - EDUCATE NB: Security and Compliance is a Shared Responsibility

Orgs should educate their IR Team on AWS cloud technologies and Usage Education includes: - Understanding of cloud security INcidents - How to perform incident respons in cloud - How to identify indicators od cloud security events - Understand AWS security and compliance shared responsibility - Understand cloud capabilities AWS and cloud customers are responsible for handling security and compliance in the cloud. Amazon controls and monitors all components from the host OS. The cloud customers are responsible for handling the host operating system and configuring security groups, network access control lists, IAM, etc.

_____________service in GCP offers a full packet capture of the network traffic for detecting any abnormalities. Packet capture can be configured for both inbound and outbound network traffic

Packet Mirroring service packet mirroring happens on VM instances and it consumes excess bandwidth on VMs. 1. Mirrored Sources: Mirrored sources are compute engine VM instances. They can be selected by specifying subnets. all traffic in that subnet is mirrored. 2. Collector Destination: Instance groups behind an internal load balancer constitute a collector destination. The traffic from the mirrored sources is copied to a collector destination by the Packet Mirroring service.

_________ when designed trigger actions automatically to respond to the incoming security alerts using the workflow automation features of ASC and Azure Sentinel

Playbook Playbooks can effectively take actions such as - isolating problematic accounts - sending notifications - disabling accounts. incident handling process: - Configure workflow automation in ASC - Set up automated threat responses in ASC - Set up automated threat responses in Sentinel

AWS IRP - Prepare

Preparing people involves - Define Roles and Responsibilities - Define Response Mechanisms: document the incident response procedures to help remediate and investigate incidents. - Create an Adaptive and Receptive Security Culture: Provide a clear channel or way for all staff members to report security incidents when they find them. - Predict Response: automate IRP to handle recurring and simple security tasks - Establish A trusted security APN partner also helps identify the potential risks an organization may not be familiar with.

Set up Automated Threat Responses in ASC Azure Security Center (ASC) uses threat intelligence and advanced analytics to analyze hybrid-cloud workloads to alert or notify you about potential malicious activities within your cloud resources.

SOLUTION Integrate security alerts from other security services and products into ASC. Quickly investigate and remediate a potential issue after an alert is raised. security alerts (other security services and products) => ASC (investigate and remediate potential issue)

_____________ is another platform similar to GCP Ops Suite. it is used in GCP for real-time monitoring of the infrastructure. It consists of Security Health Analytics, Web Security Scanner, and Event Threat Detection, and helps collect log data to take necessary actions on threats.

Security Command Center

_________________ Service in GCP can be used in detecing and preventing misconfigurations and security compliance violations in GCP resources

Security Health Analytics (SHA) An SHA user must have either an organization administrator IAM role or a SCC IAM role two modes: batch mode and real-time mode. - The batch mode automatically runs twice a day in 12 hours. - The real-time mode runs scans during asset configuration changes. The vulnerabilities detected by SHA include publicly accessible firewall rules, Cloud Storage buckets, instances that have not enforced SSL, etc. => The SHA findings describe how to remediate an issue.

_________________ built-in service in SCC that uses Cloud audit logs for monitoring the infrastructure for specific security events. It can detect the following threats: - User accounts without multi-factor authentication - Container vulnerabilities - DNS vulnerabilities - Firewall vulnerabilities - Network vulnerabilities - SSH password vulnerabilities

Security Health Analytics - NOTE

AWS Security Incident Response Plan: Simulation

Security Incident Response Simulations (SIRS) SIRS helps in practicing the IR plan and other procedures during a real security incident. SIRS activities are internal and are concerned with preparing and iteratively improving the response capabilities SIRS activities include - Validating readiness - Learning from simulations and training the concerned teams - Generation of artifacts for accreditation - Improving tools to improve speed - Simplifying communication and escalation - Developing familiarity with unexpected and rare security incidents

___________ is a security and risk management platform that provides dashboard-based analytics for detecting and responding to security risks in GCP

Security command center (SCC) IR features of SCC - Asset Review : discovery scans to detect new, modified, or removed assets. - Identification of Sensitive Data - Detection of Application Vulnerabilities - Monitoring Access Control - Anomaly Detection e.g abnormal network traffic and bot attacks. - Security Marks: Findings or assets can be annotated using security marks.

Set up Automated Threat Responses in Azure Sentinel _____________ is used to set up automated threat responses to security alerts detected by Azure Sentinel.

Security playbooks Setting up an automated threat response in Azure Sentinel involves creating a playbook, running it, and automating threat responses.

A Security incidents in _______________ domain affects AWS accounts of users, IAM roles and permissions, metadata, billing, among others.

Service Domain - Service domain incident is handled using AWS API mechanisms - service domain incident is caused by improper configuration or AWS resource permissions.

Example of IR in AWS - User action is taken and logged via AWS API event logs generated by CloudTrail and stored in S3 - CloudWatch events can be enabled to monitor user changes via AWS Lambda - When changes action is made by the user, AWS Lambda automatically allocates the compute resources and generates SNS.

The SNS is sent to the response team about the security events, and can execute the required actions.

Cloud Anomaly Detection uses behavioral signals to monitor security anomalies, such as a deviation from a usual behavior

The anomalous security findings detected by Cloud Anomaly Detection are: - Leaked Account Credentials - Resources Utilized for Outbound Intrusions: such as brute-force SSH, port scan, and brute-force FTP - Compromised Machine - Crypto Mining - Unusual Activities - Resource Used for Phishing

GCP IR - Resolution

The real cause of an incident, its mitigation, and the necessary security fixes can be done in this phase. - To notify the customers if the incidents affects their data, the communications lead develops a communication plan in consultation with the product and legal leads.

GCP IR - Closure

This involves post-mortem analysis to identify the underlying reasons and the measures to be adopted to prevent such incidents in the future The incident is closed after completing the remediation process.

T/ F Packet Mirroring captures the network traffic packets so that they can be used for examining vulnerabilities. Packet capture can be configured for both inbound and outbound network traffic.

True A packet mirroring policy must be created to configure Packet Mirroring. The created policy should specify a source and destination. Packet mirroring policy has mirrored sources and collector destinations. Mirrored sources are compute engine VM instances, and collector destinations are instance groups behind the internal load balancer.

Disclosing or communicating initial findings early during an IR process/investigation is risky as the dynamic leads may be proved incorrect at a later stage. True or False

True Communicating information on security incidents requires a deep understanding of the dynamics of cybersecurity issues and a careful planning. This results in a loss of credibility, increased negative coverage, and an additional news cycle.

Automating the organization's monitoring and IR processes will help reduce the time taken to respond to and mitigate security incidents. T/ F

True Deploy workflow automation configurations across the organization using Azure's "DeployIfNotExist" policy.

Lab NOTE

Use ASC Data Connector to Stream Alerts to Azure Sentinel - To stream alerts from Security Center into Sentinel, use Azure Defender Export ASC Alerts and Recommendations using the Export Feature to Identify Risks - exports Security Center alerts and recommendations for better identification of risks to Azure resources Capture Network Flow Logs using Azure NetworkWatcher - capture network security group (NSG) flow logs using Azure NetworkWatcher - NSG helps filter network traffic to and from a VM Capture Network Flow Logs using Azure Monitor - Configure all NSG flow logs for the selected subscriptions grouped by location using Azure Monitor. Use Azure VM's Snapshot Feature to Create a Snapshot of the Running System Disk - Take new snapshots of a VM's virtual hard disks (VHDs) before making/testing major development changes, testing new application settings, adding Windows updates, etc

in GCP __________________ service provides information on the packets going in and out of a network to identify threats. it collect a sample of network flow sent or received by VM instances for network monitoring, real-time security analysis, forensics, etc.

VPC Flow logs

___________ cloud service can be used to set up a service perimeter for communications within GCP resources. The communications outside this perimeter are blocked. These controls help prevent data exfiltration from GC services such as BigQuery and Cloud Storage and maintains a log of all denied access controls.

VPC Service Controls Types * enforced mode perimeter configuration, the access requests made from outside the perimeter are denied. * dry run mode perimeter configuration, an access that violates the policy is not denied but only logged. It is recommended to use both IAM and VPC Service Controls for a better security.

In GCP _______________ help in denying or allowing connections based on a network configuration. They are stateful enforced firewall rules . These rules control the network traffic and strengthen the security of your cloud environment.

VPC firewall rules Each VPC firewall rule is applicable to either incoming traffic or outgoing traffic, but not both. These rules support only IPv4 connections. Use firewall rules to monitor network packets for any malicious content.

_________________ is the major cause of incidents in Application Domain.

Vulnerability in application code or within a software deployed. Application domain should be included in the runbooks and cloud threat detection.

_________________________built-in service in SCC that can detect security vulnerabilities in the web applications hosted on various GCP platforms. It is quite efficient in threat detection as it does not display low-confidence alerts, which eliminates false positives. It includes managed scans and custom scans. Managed scans can centrally manage vulnerability detection in applications and custom scans can detect vulnerabilities such as XSS, outdated libraries, etc

Web Security Scanner - WSS

Event-driven Response

event-driven response use detective mechanism to automatically remediate a security event by using AWS lambda, It automatically manages all underlying architectures. - This method is used to reduce the time gap between a detective mechanism and a response mechanism. The main goal of event-driven response is to execute response tasks and intimate the responder about the successful resolution of the security anomaly.

Google Data Incident Response Team ______________ is the head and assigns team members task based on the different aspects of an incident.

incident commander Incident Commander: The head of a team who coordinates the incident response and resolution plans.

__________________is the major root causes of service domain incidents

misconfigurations or resource permissions It mainly affects a user's AWS account, resource metadata, billing, etc. AWS API can be revoked via - AWS CLI - SDK - AWS web Console If an hacker gets credentials to an account, they can revoke or disable Logs in APIs. To avoid these types of incidents, a cloud administrator can configure suitable IAM permissions by protecting the IAM credentials. - Use tools and services such as Trusted Advisor to detect multiple configuration issues

Event Threat Detection logs are automatically available in the console. It notifies users about high-risk alerts

types of threats that can be detected - Brute-force SSH attempts via Linux auth logs - Crypto Mining via VPC logs for coin mining malware - Cloud IAM Abuse - Malware: examines VPC Flow logs and Cloud DNS logs for connections to bad domains to detect malware. - Phishing attempts by examining VPC Flow logs for a connection to known phishing domains. - Outgoing DDoS attacks examining the size, type, and number of VPC Flow logs.