Security+ Chapter 12
Kill Chain
A model developed by Lockheed Martin that describes the stages by which a threat actor progresses to a network intrusion. Recon, Weaponization, Delivery, Exploitation, Installation, Command & Control, Actions on Objectives. See Word.
Listener/Collector
A network appliance that gathers or receives log and/or state data from other network systems.
Legal Hold
A process designed to preserve all relevant information when litigation is reasonably expected to occur.
Your consultancy includes a training segment. What type of incident response exercise will best represent a practical incident handling scenario?
A simulation exercise creates an actual intrusion scenario, with a red team performing the intrusion and a blue team attempting to identify, contain, and eradicate it.
Security Logs
A target for event data related to access control, such as user authentication and privilege use.
Firewall Logging
A target for event data related to access rules that have been configured for logging. Typically only enabled for testing a new rule or high-impact rules.
Application Logs
A target for event data relating to a specific software app or package.
Endpoint Logs
A target for security-related events generated by host-based malware and intrusion detection agents.
Network Logs
A target for system and access events generated by a network appliance, such as a switch, wireless access point, or router.
Root Cause Analysis
A technique used to determine the true cause of the problem that, when removed, prevents the problem from occurring again.
Due Process
A term used in US and UK common law to require that people only be convicted of crimes following the fair application of the laws of the land.
Correlation
A function of log analysis that links log and state data to identify a pattern that should be logged or alerted as an event.
Your manager has asked you to prepare a summary of the usefulness of different kinds of log data. You have sections for firewall, application, OS-specific security, IPS/IDS, and network logs plus metadata. Following the CompTIA Security+ exam objectives, which additional log data type should you cover?
Endpoint logs. These are typically security logs from detection suites that perform antivirus scanning and enforce policies.
XCCDF
Extensible Configuration Checklist Description Format XML schema for developing and auditing best practice configuration checklists and rules. Previously, best practice guides might have been written in prose for systems administrators to apply manually. XCCDF provides a machine-readable format that can be applied and validated using compatible software.
True or false? It is not possible to set custom file system audit settings when using security log data.
False. File system audit settings are always configurable. This type of auditing can generate a large amount of data, so the appropriate settings are often different from one context to another.
True or false? It is important to publish all security alerts to all members of staff.
False. Security alerts should be sent to those able to deal with them at a given level of security awareness and on a need-to-know basis.
True or false? The "first responder" is whoever first reports an incident to the CIRT.
False. The first responder would be the member of the computer incident response team (CIRT) to handle the report.
You are supporting a SIEM deployment at a customer's location. The customer wants to know whether flow records can be ingested. What type of monitoring tool generates flow records?
Flow records are generated by NetFlow or IP Flow Information Export (IPFIX) probes. A flow record is data that matches a flow label, which is a particular combination of keys (IP endpoints and protocol/port types).
dcfldd
Fork of dd with more features like multiple output files and exact match verification.
Timeline
In digital forensics, a tool that shows the sequence of file system events within a source image in a graphical format.
Provenance
In digital forensics, being able to trace the source of evidence to a crime scene and show that it has not been tampered with.
Data Acquisition
In digital forensics, the method and tools used to create a forensically sound copy of data from a source device, such as system memory or a hard disk.
Maneuver
In threat hunting, the concept that threat actor and defender may use deception or counterattacking strategies to gain positional advantage.
Intelligence Fusion
In threat hunting, using sources of threat intelligence data to automate detection of adversary IoCs and TTPs.
Metadata
Information stored or recorded as a property of an object, state of a system, or transaction.
IPFIX
Internet Protocol Flow Information eXport Standards-based version of the Netflow framework.
You've fulfilled your role in the forensic process, and now you plan on handing the evidence over to an analysis team. What important process should you observe during this transition, and why?
It's important to uphold a record of how evidence is handled in a chain of custody. The chain of custody will help verify that everyone who handled the evidence is accounted for, including when the evidence was in each person's custody. This is an important tool in validating the evidence's integrity.
LLR
Lessons Learned Report An analysis of events that can provide insight into how to improve response and support processes in the future.
Containment
Limit the scope and magnitude of the incident. The principal aim of incident response is to secure data while limiting the immediate impact on customers and business partners. It is also necessary to notify stakeholders and identify other reporting requirements.
DD Command
Linux command that makes a bit-by-bit copy of an input file, typically used for disk imaging.
Preparation
Makes the system resilient to attack in the first place. This includes hardening systems, writing policies and procedures, and setting up confidential lines of communication. It also implies creating incident response resources and procedures. An incident response process that hardens systems, defines policies and procedures, establishes lines of communication, and puts resources in place.
You must recover the contents of the ARP cache as vital evidence of an on-path attack. Should you shut down the PC and image the hard drive to preserve it?
No, the ARP cache is stored in memory and will be discarded when the computer is powered off. You can either dump the system memory or run the ARP utility and make a screenshot. In either case, make sure that you record the process and explain your actions.
Log Data
OS and applications software can be configured to log events automatically. This provides valuable troubleshooting information. Security logs provide an audit trail of actions performed on the system as well as warning of suspicious activity. It is important that log configuration and files be made tamperproof.
OVAL
Open Vulnerability Assessment Language XML schema for describing system security state and querying vulnerability reports and information.
What type of data source supports frame-by-frame analysis of an event that generated an IDS alert?
Packet capture means that the frames of network traffic that triggered an intrusion detection system (IDS) alert are recorded and stored in the monitoring system. The analyst can pivot from the alert to view the frames in a protocol analyzer.
Log Aggregation
Parsing information from multiple log and security event data sources so that it can be presented in a consistent and searchable format.
What are the seven processes in the CompTIA incident response lifecycle?
Preparation, Detection, Analysis, Containment, Eradication, Recovery, Lessons Learned
Incident Response Cycle
Procedures and guidelines covering appropriate priorities, actions, and responsibilities in the event of security incidents, divided into preparation, detection, analysis, containment, eradication/recovery, and lessons learned stages.
E-Discovery
Procedures and tools to collect, preserve, and analyze digital evidence.
Chain of Custody
Record of handling evidence from collection to presentation in court to disposal.
What is the purpose of SIEM?
Security information and event management (SIEM) products aggregate IDS alerts and host logs from multiple sources, then perform correlation analysis on the observables collected to identify indicators of compromise and alert administrators to potential incidents.
IPS/IDS Logs
Similar to firewall logging where packets trigger depending on rules set. Should be careful since multiple rules can be triggered by a single packet.
System Monitor
Software that tracks the health of a computer's subsystems using metrics reported by system hardware or sensors. This provides an alerting service for faults such as high temperature, chassis intrusion, and so on.
Incident Response Plan (IRP)
Specific procedures that must be performed if a certain type of event is detected or reported.
Syslog
Application protocol and event-logging format enabling different appliances and software applications to transmit logs or event records to a central server. Syslog works over UDP port 514 by default.
Your manager has asked you to prepare a summary of the activities that support alerting and monitoring. You have sections for log aggregation, alerting, scanning, reporting, and alert response and remediation/validation (including quarantine and alert tuning). Following the CompTIA Security+ exam objectives, which additional activity should you cover?
Archiving means that there is a store of event data that can be called upon for retrospective investigations, such as threat hunting. Archiving also meets compliance requirements to preserve information. As the volume of live data can pose problems for SIEM performance, archived data is often moved to a separate long-term storage area.
Network Monitor
Auditing software that collects status and configuration information from network devices. Many products are based on the Simple Network Management Protocol (SNMP).
NetFlow
Cisco-developed means of reporting network flow information to a structured database. NetFlow allows better understanding of IP traffic flows as used by different network applications and hosts.
Alert Tuning
The process of adjusting detection and correlation rules to reduce incidence of false positives and low-priority alerts.
Forensics
The process of gathering and submitting computer evidence for trial. Digital evidence is latent, meaning that it must be interpreted. This means that great care must be taken to prove that the evidence has not been tampered with or falsified.
You are providing security consultancy to assist a company with improving incident response procedures. The business manager wants to know why an out-of-band contact mechanism for responders is necessary. What do you say?
The response team needs a secure channel to communicate over without alerting the threat actor. There may also be availability issues with the main communication network if it has been affected by the incident.
True or false? To ensure evidence integrity, you must make a hash of the media before making an image.
True
System Memory Acquisition
Volatile data held in RAM
What is the significance of the fact that digital evidence is latent?
The evidence cannot be seen directly but must be interpreted so the validity of the interpreting process must be unquestionable.
First Responder
The first experienced person or team to arrive at the scene of an incident.
Order of Volatility
The order in which volatile data should be recovered from various storage locations and devices after a security incident occurs.
Lessons learned
Analyzes the incident and responses to identify whether procedures or systems could be improved. It is imperative to document the incident. Outputs from this phase feed back into a new preparation phase in the cycle.
Sinkhole
A DoS attack mitigation strategy that directs the traffic that is flooding a target IP address to a different network for analysis.
What is the difference between a sensor and a collector, in the context of SIEM?
A SIEM collector receives log data from a remote host and parses it into a standard format that can be recorded within the SIEM and interpreted for event correlation. A sensor (or sniffer) copies data frames from the network, using either a mirror port on a switch or some type of media tap.
Event Viewer
A Windows console related to viewing and exporting events in the Windows logging file format.
Playbook
A checklist of actions to perform to detect and respond to a specific type of incident.
Dashboard
A console presenting selected information in an easily digestible format, such as a visualization.
Threat Hunting
A cybersecurity technique designed to detect the presence of threats that have not been discovered by normal security monitoring.
You must assess a security monitoring suite for its dashboard functionality. What is the general use of dashboards?
A dashboard provides a console to work from for day-to-day incident response. It provides a summary of information drawn from the underlying data sources to support some work task. Most tools allow the configuration of different dashboards for different tasks. A dashboard can show uncategorized events and visualizations of key metrics and status indicators.
Call List
A document listing authorized contacts for notification and collaboration during a security incident.
Dump
A file containing data captured from system memory.
Write Blocker
A forensic tool to prevent the capture or analysis device or workstation from changing data on a target disk or media.
Disk Image Acquisition
Acquiring data from nonvolatile storage such as HDDs, SSds, USB thumb drives and memory cards.
Acquisition
Acquisition is the process of obtaining a forensically clean copy of data from a device seized as evidence.
Analysis
Determines whether an incident has taken place and perform triage to assess how severe it might be from the data reported as indicators. An incident response process in which indicators are assessed to determine validity, impact, and category.
Detection
Discovers indicators of threat actor activity. Indicators that an incident may have occurred might be generated from an automated intrusion system. Alternatively, incidents might be manually detected through threat hunting operations or be reported by employees, customers, or law enforcement. An incident response process that correlates event data to determine whether they are indicators of an incident.
Recovery
Reintegrates the system into the business process it supports with the cause of the incident eradicated. This recovery phase may involve the restoration of data from backup and security testing. Systems must be monitored closely for a period to detect and prevent any reoccurrence of the attack. The response process may have to iterate through multiple phases of identification, containment, eradication, and recovery to effect a complete resolution. An incident response process in which hosts, networks, and systems are brought back to a secure baseline configuration.
Eradication
Removes the cause and restores the affected system to a secure state by applying secure configuration settings and installing patches once the incident is contained. An incident response process in which malicious tools and configurations on hosts and networks are removed.
Sensor/Sniffer
SIEM might collect packet captures and traffic flow data from sniffers. A sniffer can record network data using either the mirror port functionality of a switch or using some type of tap on the network media.
Your company has implemented a SIEM but found that there is no parser for logs generated by the network's UTM gateway. Why is a parser necessary?
Security information and event management (SIEM) aggregates data sources from multiple hosts and appliances, including unified threat management (UTM). A parser translates the event attributes and data used by the UTM to standard fields in the SIEM's event database. This normalization process is necessary for the correlation of event data generated by different sources.
