12.1 - 12.8 Incident Response, Forensics, and Recovery
A forensic investigator gathers potential evidence from many software, hardware, and other sources. There is an order in which the evidence needs to be gathered. The order of volatility describes the process of capturing data based on the volatility of said data. Place the following items in the correct order of volatility in the gathering of potential evidence.
1. Random Access Memory (RAM) 2. Swap/page file 3. Hard drive 4. Remote logs 5. Archived data RAM is the most volatile of all computer data storage and is cleared when a computer is shut down. Swap files or page files are a virtual extension of RAM. The data on the hard disk drive is a key piece of evidence in a computer forensics investigation. A lot of the things that we do on a computer system are saved in some way on the hard disk drive, including data in virtual memory. Remote logs are logs that document events on a computer system and are stored on a device other than the device that the events occurred on. Archived data are documents, logs, etc. that are not used regularly and are stored on a device other than the device under forensic investigation.
Operator - Description
== - Equal (example: ip.addr == 192.168.1.3) eq - Equal (example: tcp.port eq 161) contains - Contains a specific value (example: http contains "http://www.stuff.com" ne - Not equal (example: ip.src ne 192.168.1.3) != - Not equal (example: ip.addr != 192.168.1.3 && - And (example ip.addr==192.168.1.3&&tcp.port=23) or - Or (example ip.addr==192.168.1.3 or ip.addr ==192.168.1.4)
RAID 5 striping with parity
A RAID 5 volume combines disk striping across multiple disks with parity for data redundancy. Parity information is stored on each disk. If a single disk fails, its data can be recovered using the parity information stored on the remaining disks. RAID 5: > Provides an increase in performance. > Provides fault tolerance. > Does not provide fault tolerance if two or more disks fail. > Requires a minimum of three disks. > Has an overhead of one disk in the set for parity information (1 / n - 1). A set with three disks has 33% overhead. A set with four disks has 25% overhead. A set with five disks has 20% overhead
Comment
A comment is text in a program's code, script, or another file that is not meant to be used by the program or seen by the user running the program. However, it is seen when viewing the source code.
MAC spoofing
A common low-level security measure is port security. Port security allows only specific MAC addresses to access a switch. The goal is to ensure that only authorized devices have access to the network. A MAC address for a network interface card (NIC) is assigned by the manufacturer. This address is hard-coded directly into the NIC and can't be changed. However, on some interfaces it is possible to change the MAC address of the interface driver. This allows an attacker's computer to connect to a switch using an authorized MAC address. This allows the attacker to capture packets from that network.
Runbooks
A compilation of routine operations and procedures used by a network admin.
Virtual machine (VM)
A computer that uses software components, but acts like a physical machine. A virtual machine resides on a host machine.
Data monitoring apps
A concern of organizations is data being downloaded. A variety of applications help an admin monitor data. These apps monitor data in all three states: at rest, in motion, and in use.
Constant
A constant is data or a value that does not change, unlike a variable.
Chain of custody
A record of the handling of gathered evidence. This gives all parties involved confidence that no evidence tampering has occurred.
Scripting Environments
A scripting or script language is a programming language for a special run-time environment that automates the execution of tasks. The term scripting language often refers to programs, such as Bash, PowerShell, and Python. Scripting is often used in software applications, web pages within a web browser, the shells of operating systems (OS), embedded systems, network tasks, as well as numerous other applications. Scripts can be thought of as a small program up to a few thousand lines of code. As a Security Analyst, you must be familiar with the different scripting languages and recognize the differences. The table below identifies comparisons in Bash, Python, and PowerShell scripting languages.
Security Incident
A security incident is an event or series of events that are a result of a security policy violation. The incident may or may not have adverse effects on an organization's ability to proceed with normal business. It is important to organizations that security incidents are recognized and dealt with appropriately. The following table describes types of security incidents.
12.3.3 SIEM and Log Management Facts
A security information and event management (SIEM) system combines security information management (SIM) and security event management (SEM) functions into one security management system. This lesson covers the topic of security information and event management.
Playbooks
A set of procedures detailing the steps to take when an event has been detected.
12.6.4 Shells and Scripting Facts
A shell refers to the mechanism that allows you to interact with the operating system directly. You enter shell commands in a terminal window and the system responds. Scripting allows you to create virtual programs that automate repetitive tasks. These programs contain statements, commands, and logic. They are often used to start processes, perform backups, and complete system maintenance. This lesson covers the following topics: > SSH (Secure Shell) > OpenSSL > Scripting environments
SIEM
A software tool used to compile and examine multiple data points gathered from across a network.
Uninterrupted power supply (UPS)
A stand-alone power supply that allows servers to be gracefully shutdown during a power outage.
String
A string is a sequence of characters, either as a literal constant or as some kind of variable.
RAID 0 striping
A stripe set breaks data into units and stores the units across a series of disks by reading and writing to all disks simultaneously. Striping: > Provides an increase in performance. > Does not provide fault tolerance. > Does not protect data. A failure of one disk in the set means all data is lost. > Requires a minimum of two disks and may contain up to 32 disks. > Has no overhead because all disk space is available for storing data. > Is the fastest of all RAID types. However, it does not provide fault tolerance.
Substring
A substring is a prefix or suffix of any string. For example, a substring of the word computer could be: puter or comp.
Isolation
A technique used to take a breached appliance off a network
Variable
A variable is a named unit of data that is assigned a value. If and when the value is modified, the name does not change.
Hashing
A way to encrypt data. In forensics, data that's copied is run through a hashing algorithm.
Admissibility
Admissibility refers to evidence allowed to be used in court. For evidence to be admissible, it must meet certain criteria. First, it must be obtained by legal means. If evidence is discovered through an illegal procedure, then the evidence will not be admissible. In law, this is called fruit of the poisonous tree. This why it is so important to understand what you are and are not allowed to do when collecting evidence. Retaining the services of a legal expert, law enforcement, or other outside help is recommended.
Event Subscription Configuration
After the source and collector have been properly prepared, the next step is to configure event subscriptions. The subscriptions are used to transfer events from the source computer to the collector computer. Be aware of the following when configuring event subscriptions:
Runtime status
After you have created the subscription, you can use the Runtime Status link to verify communications. *If you need to change the subscription type after it has been created, you must delete and recreate the subscription.
Which of the following components are the SIEM's way of letting the IT team know that a pre-established parameter is not within the acceptable range?
Alerts Alerts are the SIEM's way of letting the IT team know that a pre-established parameter is not within the acceptable range. An alert is intended to get the attention of the IT person, or persons, monitoring the network. A best practice in this area is 24-hour monitoring. Sensors are set up at critical endpoints, services, and other vulnerable locations. These sensors are programmed to send customized alerts to the SIEM if certain parameters are not within the acceptable range. The dashboard consists of customizable information screens that show real-time security and network information. Trends are patterns of activity discovered and reported to the SIEM.
Alerts
Alerts are the SIEM's way of letting the IT team know that a pre-established parameter is not within the acceptable range. The alert is intended to get the attention of the IT person, or persons, monitoring the network. A best practice in this area is 24-hour monitoring.
Event forwarding
Allows you to configure specific events on one system to be forwarded to another system using specific criteria.
Virtual IP
An IP address that can be used by multiple endpoints. It is commonly used in failover systems and for load balancing.
Virtual IP (VIP)
An IP address that is not assigned to an endpoint. VIP is used for load balancing. It typically uses NAT IP address assignment.
Endpoint security solution
An application designed to protect network endpoints from malicious attacks. Endpoints are all devices connected to a network.
Array
An array is a group of related data values, or elements, that are grouped together. All the array elements must be the same data type.
Security incident
An event, or series of events, resulting from of a security policy violation. A security incident has adverse effects on a company's ability to proceed with normal business.
If else statement
An if else statement is a conditional statement that selects the statements to run depending on whether an expression is true or false.
If statement
An if statement is a conditional statement that, if proven true, performs a function or displays information.
Big data analysis
An incident investigation that examines all types of data used in the organization, including text, audio, video, and log files. The investigation identifies anomalies that led up to the security incident.
Live analysis
An incident investigation that examines an active (running) computer system to analyze the live network connection, memory contents, and running programs.
Dead analysis
An incident investigation that examines data at rest, such as analyzing hard drive contents.
12.2 Mitigation of an Incident
As you study this section, answer the following questions: Why would you use whitelisting? > How can you protect network endpoints? > When would you use the mitigation technique of quarantining? > Why is it important to keep a firewall configuration up-to-date? In this section, you will learn to: > Distinguish between whitelisting and blacklisting applications. > Use isolation, quarantining, containment, and segmentation appropriately. > Create a runbook for a network. Indentify when to use a playbook.
You have detected and identified a security event. What's the first step you should complete?
Containment You would choose containment. Containment is the first step to complete after an event has been detected and identified. Isolation limits the ability of a compromised process or application to do more harm to the network or its assets. Segmentation is a strategic network design. The concept is simple: keep the sections of a network separated so that malicious actors cannot pivot within a network. Playbooks are part of an incident-response plan. Playbooks can automate responses.
Containment
Containment is the first step after an event has been detected and identified. This action can take a few forms. You can disconnect a machine from the network by unplugging the Ethernet cable or disabling the NIC. If a network is connected to other networks, you can terminate those connections.
You would like to make sure users are not accessing inappropriate content online at work. Which endpoint security strategy would you employ?
Content filtering You would choose content filtering. Online URL filtering is based on selected objectionable content. MDM doesn't provide content filtering. Firewall rules usually pertain to data, not necessarily inappropriate content. URL filters are for whitelisting and blacklisting sites. They are not used for filtering content.
Content filters
Content filtering is a strategy to keep employees from accessing unauthorized content on the web. Online URL filtering is based on selected objectionable content. This tactic is also used with emails that help to combat phishing. Filtering is often deployed at the firewall but can also be deployed using other tools.
Which of the following are required to configure Event Subscription for event forwarding? (Select three.)
Create a Windows firewall exception for HTTP or HTTPS on all source computers. Start Windows Remote Management service on both the source and collector computers. Start Windows Event Collector service on collector computer. You must configure both the source and collector computers for event forwarding: > On the source and collector computers, start Windows Remote Management service. > On the collector computer, start the Windows Event Collector service. > On the source computers, configure a Windows firewall exception for HTTP or HTTPS.
How can a criminal investigator ensure the integrity of a removable media device found while collecting evidence?
Create a checksum using a hashing algorithm To protect or ensure the integrity of collected digital evidence, an investigator should create a checksum using a hashing algorithm. In the future, the same hashing algorithm can be used to create another checksum. Then the two values are compared. If the checksums are identical, the media was not altered. Not all removable media has write-protection switches, and it is possible for software to circumvent these physical restrictions. Writing a new file to the media or altering the settings on files on the media is a direct violation of integrity.
Your company is about to begin litigation, and you need to gather information. You need to get emails, memos, invoices, and other electronic documents from employees. You'd also like to get printed, physical copies of documents. Which tool would you use to gather this information?
Legal hold You would use a legal hold. The purpose behind a legal hold is to help ease the burden of the IT and legal teams when it comes to gathering evidentiary documentation. This notice instructs employees to retain any electronically stored information, or ESI. The chain of custody proves that no tampering has occurred in gathering evidence. Timestamps provide an exact date and time of an event and must be accurate to be admissible. A timeline of events is required for digital forensic evidence to be admissible and to prove who is most responsible for what occurred.
logger
Lets you add entries in the system log file. The syntax is logger <message>. The message portion of the command can also be entered from the output of another command. Examples: logger Here is my message - Adds the line Here is my message to the log file. logger 'who' - Uses the output of the who command as the message to be added to the log file. logger -f msg - Adds the contents of the msg file to the log file. logger --size 5 1234567890123467890 - Limits the input to the first 5 Kib characters.
Scripting Environments
Like all programming languages, there are many common components of each, such as being able to create variables, constants, arrays, and input comments. The table below defines some common programming terms.
File Management Commands
Linux files can also be managed using the following commands:
The chain of custody is used for which purpose?
Listing people coming into contact with the evidence The chain of custody is used to track the people who came in contact with the evidence. The chain of custody starts at the moment evidence is discovered and lists the identity of the person who discovered, logged, gathered, protected, transported, stored, and presented the evidence. The chain of custody helps to ensure the admissibility of evidence in court.
head
Lists the first 10 lines (the default) of a specified file. Use the -n option to specify the number of lines to display. head /home/user/myfile - Lists the first 10 lines of myfile. head -n 20 /home/user/myfile - Lists the first 20 lines of myfile. head -n -35 /home/user/myfile - Displays all lines in myfile, omitting the last 35 lines.
You wish to configure collector-initiated event subscriptions. On the collector computer, in which program do you configure a subscription?
Event Viewer Event Viewer is used to configure collector-initiated subscriptions. Collector-initiated event subscriptions are not configured using Group Policy like source-initiated subscriptions. Device Manager offers no settings to configure event subscriptions. Computer Management offers no settings to configure event subscriptions.
Correlation
Event correlation is a critical SIEM component. The software gathers data from log files, system applications, network appliances, etc., and analyzes it. This work is tedious; people are inefficient at it. That's why the event correlation feature is valuable. Not only does it gather the data, but it analyzes and compares known malicious behavior against the aggregated data, increasing the chances of the discovery of security events.
Implementation
Event forwarding is implemented in one of two ways: > Collector-initiated subscriptions > Source-initiated subscriptions
Setup
Event forwarding uses HTTP to transfer the events from the source to the collector. > You can use HTTPS instead of HTTP to secure the transmission. > HTTP or HTTPS makes setup relatively easy because most firewalls are already configured for HTTP and HTTPS traffic.
Tags
Evidence must be tagged when collected. Tags provide a clear, precise, and consistent way of marking evidence. Everything must be tagged, including cables, monitors, machines, and even the ports on a machine. The tags need to be very specific. For example, you are collecting evidence on a personal computer that has power cables, an Ethernet cable, USB ports, monitor cables, etc. All these items must be tagged. Even empty ports must be tagged as such. The exact location each cable or other device must also be on the tag. For evidence to be admissible the tagging must be done correctly the first time.
Corroborative evidence
Evidence or information that supports another fact or detail.
Hearsay evidence
Evidence that is obtained from a source who doesn't have personal, firsthand knowledge.
You want to allow RDP 3389 traffic into your network for a group of users to access a particular workstation that has a special application in your office. Which endpoint security tool would you use to make this happen?
Firewall rules You would choose firewall rules to allow the traffic on port 3389 to the workstation on the private corporate network. URL filters are a database of URLs that are allowed (whitelisted) or prohibited (blacklisted). Content filtering is a strategy to keep employees from accessing unauthorized content on the web. Data monitoring apps monitor data in all three states: at rest, in motion, and in use. However, this doesn't help you to allow traffic on port 3389.
tail
Lists the last 10 lines (the default) of a specified file. -n - Specifies a specific number of lines. -f - Monitors the file. tail /home/user/myfile - Lists the last 10 lines of myfile. tail -n 20 /home/user/myfile - Lists the last 20 lines of myfile. tail -n -15 /home/user/myfile - Displays all lines in myfile, omitting the first 15 lines. tail -f /var/firewalld - Displays the last 10 lines of /var/firewalld and then dynamically displays new lines in the file as they are added.
A conditional statement that selects the statements to run depending on whether an expression is true or false is known as which of the following?
If else statement An if else statement is a conditional statement that selects the statements to run depending on whether an expression is true or false. An if statement is a conditional statement that, if proven true, performs a function or displays information. Else is a conditional statement that, if previous conditions are not true, displays alternate information or performs alternate commands. Else if is a conditional statement performed after an if statement that, if true, performs a function.
External intrusion attempts
Intentional actions by a threat actor who is not employed by or associated with an organization in an attempt to exploit attack vectors. The intent of the threat actor is to harm an organization or profit from access to an organization's resources.
Unauthorized act by an employee
Intentional actions by an employee to do harm to a company's network or data. Also known as an insider threat.
You need to limit a compromised application from causing harm to other assets in your network. Which strategy should you employ?
Isolation You would choose isolation. One way to protect the network is process isolation. This ensures that if a process is compromised, only the resources that are used by that process are at risk. Segmentation is a strategic network design. The concept is simple-keep the sections of a network separated so that malicious actors cannot pivot within a network. Containment is not a preemptive strategy. Containment is something you do after an event has occurred. SOAR is a platform to compile security data generated by different security endpoints. This compiled information is then sent to a security analyst for further action.
Isolation
Isolation limits the ability of a compromised process or application from doing more harm to the network or its assets. One way to protect the network is process isolation. This ensures that if a process is compromised, only the resources that are used by that process are at risk.
Vulnerability scan output
Monitoring a network requires experience and solid tools. One tool common to network security is a scanner that can identify vulnerabilities and recommend remediation steps. This tool scans servers, firewalls, switches, software programs, security cameras, and wireless access points. The scan delivers the output to IT admins via the SIEM dashboard. The interval between scans is set by the IT department.
Business continuity plan
More detailed and longer than the disaster recover plan, the business continuity plan has procedures and policies for each business unit. The policies and procedures are written by each business unit with guidelines from corporate management. This document includes organization charts, phone lists, order of restore, and vendor contact information.
C level executives
Keep incident response awareness a priority with C level executives. Their support will help to garner support from other employees.
Communicate with business unit managers
Keep open lines of communication with unit managers. Be willing to accept their input. These are the people you will work with the most.
Port mirroring
Port mirroring can be challenging to set up, but is possible depending on the level of access an attacker has on a network. The concept behind port mirroring, also known as SPAN port, is simple. Port mirroring creates a duplicate of all network traffic on a port and sends it to another device. If all traffic from a target machine is directed through the switch to the server, an attacker can implement port mirroring. Port mirroring ensures that all traffic is sent to the attacker's machine as well as the target machine.
Power scheduling
Power scheduling is used to configure an active redundancy. This sends power to networks when a power facility goes down. Power scheduling prevent total loss of power during catastrophic events.
What does the hashing of log files provide?
Proof that the files have not been altered Perform hashing of the log files to detect alteration. If a log file is altered, the hash of that file will be different. If the current hash is the same, you can assume that the file has not been altered. Hashing can detect alteration, but does not prevent it; users can still alter or delete a file. Encryption prevents unauthorized users from viewing the file contents. Timestamps on logs and log entries identify when events occur so you can reconstruct a timeline of events. Audit policies and retention policies control how log files are saved and what the system does when a log cannot be created or when disk space is full.
PuTTY
PuTTY is open-source software that supports several protocols, including SSH and Telnet.
!= or <> refers to Not Equal in which scripting language?
Python != or <> refers to Not Equal in the Python scripting language. -ne refers to Not Equal in the Bash scripting language. ne refers to Not Equal in the PowerShell scripting language. PuTTY is an SSH and Telnet client that was originally developed for the Windows platform.
Python
Python is an object-oriented programming language often used for scripting
RAID 0+1
RAID 0+1 combines disk striping (0) and disk mirroring (1). Multiple disks are striped, creating a single volume. A second set of disks is then added to mirror the first set. RAID 0+1: > Provides fault tolerance. > Protects data if one or more disks in a single set fails. > Does not protect data if two disks in different mirrored sets fail. > Provides an increase in performance. > Requires an even number of disks with a minimum of four disks. > Has a 50% overhead.
RAID 1+0 mirroring a striped set
RAID 1+0 combines disk mirroring (1) and disk striping (0). Multiple disks are configured into two mirrored arrays. The mirrored set are striped across the other set. RAID 1+0: > Provides fault tolerance. > Protects data if one or more disks in a single set fails. > Protects data if two disks in different sets fail. > Provides an increase in performance. > Requires an even number of disks and a minimum of four disks. > Has a 50% overhead. > Is the fastest, most fault tolerant, and most expensive RAID arrays. > Performs better and provides more fault tolerance than RAID 0+1 arrays.
Random Access Memory
RAM is the most volatile of all computer data storage. RAM is cleared when a computer is shutdown. Once gone, it cannot be recovered. Data on RAM can be copied as long as the system is running but should be done only by someone with proper training. The data stored on RAM can have valuable information. Many times malware such as worms, viruses and Trojan horses are created as memory-resident only. This makes identifying them difficult.
12.7.5 RAID Facts
Redundant Array of Independent Disks (RAID), also called Redundant Array of Inexpensive Disks, is a disk subsystem that combines multiple physical disks into a single logical storage unit. This lesson covers the topic of Redundant Array of Independent Disks
Manage Redundant Power Options
Redundant power options are vital. A network without power is useless. Common power options found in datacenters include: > Uninterrupted power supply (UPS). A UPS is a stand-alone bank of batteries that allows for the graceful shutdown of network appliances when power goes out. > Generator. A generator is a large scale device that provides power for an extended period of time. Normally between 24 and 48 hours. > Dual supply. A dual power supply is common in network appliances like servers and firewalls. It allows for one failure and hot-swapping. > Managed power distribution unit (PDU). A managed power distribution unit is a rack-mounted unit that distributes power on a large scale such as a data center.
Remote logs
Remote logs are logs that document events on a computer system and are stored on a device other than the device that the events occurred on.
You want to set up a collector-initiated environment for event subscriptions. Which commands would you run? (Select two.)
Run wecuitl qc on the collector computer. Run winrum qc -q on the source computer. To set up a collector-initiated environment for event subscriptions: 1. Run winrum qc -q on the source computer. 2. Add the collector computer account to the local Event Log Readers group on the source computer. 3. Add a user with admin privileges to the local Event Log Readers group on the source computer. 4. Run wecuitl qc on the collector computer. You must also run winrm qc on the collector computer. This command uses delivery optimization options other than the default.
Runbooks
Runbooks are a condition-based series of protocols you can use to establish automated processes for security incident response. Assessment, investigation, and mitigation are accelerated with the use of a runbook. Even though processes are automated, human analysis is still used in some cases.
For some reason, your source computers are not communicating properly with the collector. Which tool would you use to verify communications?
Runtime Status You would choose Runtime Status to verify communications after you have created a subscription. The wecutil qc command would simply run the Windows Event Collector service. The winrm qc -q command would initiate the Windows Remote Management service. The Event Viewer System log would not verify current communications.
SMAC
SMAC is a spoofing tool that allows an attacker to spoof a MAC address to any value.
As a security analyst, you are looking for a platform to compile all your security data generated by different endpoints. Which tool would you use?
SOAR You would choose SOAR (Security Orchestration, Automation, and Response). This compiled information is sent to a security analyst for further action. SOAR frees an analyst from constantly receiving security alerts as they are generated. Analysts can use parameters to automate solutions for security incidents that meet certain criteria. An MDM is for managing mobile devices. It is not for all endpoints. An MAM allows you to manage mobile apps on all sorts of devices, but it does not allow you to compile endpoint data. GDPR (General Data Protection Regulation) is a framework in the EU for data protection and privacy.
Security Orchestration, Automation and Response (SOAR)
SOAR is a platform to compile security data generated by different security endpoints. This compiled information is then sent to a security analyst for further action. SOAR frees an analyst from constantly receiving security alerts as they are generated. Analysts can use parameters to automate solutions for security incidents that meet certain criteria. SOAR: > Gathers alert data and places it in specified location. > Facilitates application data integration. > Facilitates focused analysis. > Creates a single security case. > Allows for multiple playbooks and playbook step automation.
Secure Shell (SSH)
SSH is a remote administration protocol that allows admins to securely connect to remote systems.
OpenSSL
SSL is a method that provides an encryption standard that's widely used by internet websites. When you connect to a secure website, such as a financial institution or shopping site, that site is protected by SSL. Remote access, including PuTTY, can take advantage of the same encryption standard by using OpenSSL, which is an open-source implementation. OpenSSL creates a key pair using encryption standards such as DSA or RSA.
Secure Sockets Layer (SSL)
SSL is a security encryption protocol that allows secure connections to remote systems.
grep
Searches through files for a specified character string. By default, grep is context sensitive and displays the string in the context of the line containing the string. -A [number] - Prints a specified number of lines following the matching lines. -a - Searches binary (executable) files as though they were text files. -B [number] - Prints a specified number of lines before the matching lines. -C [number] - Prints a specified number of lines of context around the matching lines. -c - Shows the number of matches of the string for the file. -E - Uses regular expressions for the text pattern. -e [pattern] - Specifies a literal pattern. -f - Searches for multiple strings using a file that lists the string patterns. -l - Lists the names of the files with a match. This is used to search multiple files. -m [number] - Shows the specified number of matches for a file. -n - Displays the line number of the lines containing the term. -r - Searches the directory and all subdirectories for files containing the term. -v - Displays non-matching lines. --include= [file_name] - Searches in files with names that match a specified string. --exclude= [file_name] - Searches in files with names that do not match a specified string. -w - Searches for whole words only. Examples: grep -A 3 Midway ~/docs/WWII-report - Searches WWII-report for the pattern Midway and prints the line and the next three lines. grep -a var11 /bin - Searches all files, including binary files, in the /bin directory for the pattern var11. grep -c Midway ~/docs/WWII-report - Shows a number representing the number of times the pattern Midway was found in the WWII-report file. grep -C -3 Midway ~/docs/WWII-report - Shows the specified number of lines preceding and following the matching lines. grep -e '--count' ~/docs/doc1 - Looks for the pattern --count in the doc1 file rather than interpreting it as an option. grep -l -r Midway ~/docs - Shows the name of all files in the /home/user/docs directory that contain the term Midway. grep -m 2 battle ~/docs/WWII-report - Shows the first two times the term battle is found in the file. grep -n -i customVariable1 ~/java/program1.java - Shows the line numbers of lines that have the term customVariable1 in the program1.java file. This ignores the case. grep -r battle ~/docs/ - Searches the directory and all subdirectories for the term battle. grep -w tank ~/docs/WWII-report - Searches for the whole word tank in the file.
Security Information and Event Management
Security information and event management tools compile and examine multiple data points gathered from across a network. The following table describes SIEM components.
You need to limit the impact of a security breach for a particular file server with sensitive company data. Which strategy would you employ?
Segmentation You would choose segmentation. You can segment using VLANs, software-defined networks, switches, subnetting, or even physical segmentation. Isolation limits the ability of a compromised process or application to do more harm to the network or its assets. Containment is the first step after an event has been detected and identified. Segmentation is preventative. SOAR is a platform to compile security data generated by different security endpoints.
Segmentation
Segmentation is a strategic network design. The concept is simple; keep the sections of a network separated so that malicious actors cannot pivot within a network. You can segment using VLANs, software defined networks, switches, subnetting, or even physical segmentation. Being on a different subnet is not enough. You must implement rules to control the kind of communications that occur between assets on the network. You can also create a demilitarized zone (DMZ). It is a virtual area where you separate assets from internal network assets. A network with a DMZ may have a single firewall or two firewalls depending on how secure the segment needs to be. No matter the topography, access between the DMZ and the internal network is access controlled.
Sensors
Sensors are a vital part of monitoring and securing a network. Sensors are set-up at critical endpoints, services, and other vulnerable locations. These sensors are programmed to send customized alerts to the SEIM if certain parameters are not within the acceptable range.
You have a large number of source computers in your IT environment. Which subscription type would be most efficient to employ?
Source-initiated You would choose source-initiated since there are a large number of source computers. Collector-initiated is more efficient if you have a limited number of source computers. Event forwarding uses HTTP to transfer the events from the source to the collector. HTTP or HTTPS makes setup relatively easy because most firewalls are already configured for HTTP and HTTPS traffic.
Swap/page file
Swap files or page files are a virtual extension of RAM. An OS is designed so that if you are running low on RAM, it can place files not in use into the swap or page file to be accessed later. An administrator can determine how much space to allocate to page files. For the forensic investigator, this is another potential source of evidence. The page file data does not automatically delete at shutdown unless you change the default settings.
Which of the following is a standard for sending log messages to a central logging server?
Syslog Syslog is a protocol that defines how log messages are sent from one device to a logging server on an IP network. The sending device sends a small text message to the syslog receiver (the logging server). The Open Vulnerability and Assessment Language (OVAL) is an international standard for testing, analyzing, and reporting the security vulnerabilities of a system. LC4 (previously called LOphtcrack) is a password-cracking tool. Nmap is a network mapping tool that performs ping and port scans.
Over the past few days, a server has gone offline and rebooted automatically several times. You would like to see a record of when each of these restarts has occurred. Which log type should you check?
System A system log records operating system, system, and hardware events. The system log contains entries for when the system was shut down or started, when new hardware was added, and when new services were started as well. A performance log records information about the use of system resources, such as the processor, memory, disk, or network utilization. A firewall log identifies traffic that has been allowed or denied through a firewall. A security log records information related to logons, such as incorrect passwords being used and user right usage.
TCPDUMP
TCPDUMP is a Linux tool that collects packet data. The data can be stored for later analysis.
Subscription Types
The type of subscription determines the specific tasks required to configure event forwarding, as explained in the following table.
Geographic dispersal
The use of multiple locations to store data to mitigate downtime due to location.
Attack Frameworks
There are a few frameworks you can utilize for incident response. The table below describes three.
Trends
Trends are patterns of activity discovered and reported to the SEIM. This is how baselines are established. Trends help security analysts decide if reported activity is normal or outside of the baseline. Trends that do not fit previously recorded information can be investigated by the security group. As the IT security team investigates and documents these trends it becomes easier for the team to quickly spot a trend that may signal a security event.
Certificate status databases
Trust is an imperative when accessing websites. Certificates provide this trust. Certificate databases provide easy access to certificate status (valid, invalid or revoked). Certificates can be revoked for any number of reasons by the CA. Many browsers block websites with invalid certificates.
Active/passive
Two load balancers with one actively working and the second in listening mode to take over if the active machine fails.
Active/passive
Two load balancers with one actively working and the second in listening mode to take over if the first one becomes unavailable.
Active/active
Two load balancers working in tandem to distribute network traffic.
URL filters
URL filters are a database of URLs that are allowed (whitelisted) or prohibited (blacklisted). While the database can be created and maintained manually, most are regularly updated databases that are SaaS in nature. Machine learning is used to improve the accuracy and the speed of updating these database.
Ufasoft Snif
Ufasoft Snif is a network sniffer used to capture, decrypt, and analyze packets as they travel across the network.
Employee errors
Unintentional actions by an employee that cause damage or leave network systems vulnerable to attack.
12.4.4 Windows Event Subscriptions Facts
Use Event Subscriptions to collect events from multiple computers and store the events on one computer. This lesson covers the following topics: > Process > Subscription types > Event subscription configuration
You are concerned that an attacker can gain access to your web server, make modifications to the system, and alter the log files to hide his or her actions. Which of the following actions would best protect the log files?
Use syslog to send log entries to another server. The best protection is to save log files to a remote server. In this way, compromise of a system does not provide access to the log files for that system. Configuring permissions on the log files would allow access for only the specified user accounts. However, if an attacker has gained access to the system, he or she might also have access to the user accounts that have been given access to the log files. Encrypting the log files protects the contents from being read, but this does not prevent the files from being deleted. Hashing of log files ensures integrity and that the files have not been altered since they were created.
Geographic dispersion
Using multiple locations to store data to mitigate downtime due to loss of availability at a location.
Video
Video evidence in criminal cases has become the norm not the exception. Video evidence may come from security cameras or videos stored on a computer. The key to ensuring that video evidence is admissible is the ability to prove the video has not been manipulated. If this cannot be done, the video is likely to be excluded. Caution must be taken when retrieving videos to ensure that the integrity of the video is preserved. Video evidence can be very persuasive and many times even the deciding factor in a legal case. It can also be fatal to a case if shown to have been gathered in an illegal, sloppy, or reckless manner.
What is the best definition of a security incident?
Violation of a security policy The best definition of a security incident is a violation of a security policy. Criminal activity, compromise of the CIA, and productivity interruptions are all violations of security policy. They are specific examples of security incidents rather than a universal definition.
Which log file type is one of the most tedious to parse but can tell you exactly when users log onto your site and what their location is?
Web server logs Web server logs are one of the most tedious of all logs to parse. However, these logs can tell you exactly when users log onto your site and what their location is. Authentication logs are vital to a network's security. Authentication servers may be Active Directory-based or OpenLDAP depending on your network structure. System logs are produced by an operating system. Event logs show application access, crashes, updates, and any other relevant information that could be valuable in determining root-cause analysis.
Web metadata
Websites produce many types of metadata. The metadata on a user's machine versus the server can be very different. The data on both sides of the transmission can help fill in gaps and corroborate findings. Metadata includes IP addresses, user requests, user downloads, time spent on the site, and even attempts to gain unauthorized access. Web metadata includes cookies, browser history, and cached pages. Many times malicious actors will attempt to obfuscate their metadata. However, there are ways of finding the real metadata, especially for trained forensic investigators.
MAC flooding
When a switch is initially turned on, it doesn't know which devices it will support. A switch uses a content addressable memory (CAM) table to track MAC addresses. As it receives packets from various MAC addresses, it adds the addresses to its CAM table and associates each one with a physical port on the switch. This process allows data to be sent directly to the port where the intended recipient is located instead of sending all data across the entire network like a hub. Although one port can have multiple MAC addresses associated with it, the CAM table has a size limit. MAC flooding is the process of intentionally flooding the CAM table with Ethernet frames, each originating from a different MAC address. Once the table starts to overflow, the switch responds by broadcasting all incoming data to all ports, basically turning itself into a hub instead of a switch. When an attacker's MAC address is connected to one of the ports, the attacker can capture all traffic as it is broadcast across the network.
Quarantining
When anti-virus software finds a malicious item it quarantines it. This means that the item is placed in a folder where it cannot cause any damage to the network. If it is found to be non-malicious it can be released from quarantine. Endpoints are the devices that attach to a network, such as desktop computers, laptops, smartphones, printers, etc. Endpoints represent a prominent attack vector. These endpoints, when attacked, become pivot points to deeper network assets. An endpoint can be quarantined. If this is done, the endpoint will no longer receive network traffic.
Sensitivity
When the sensors are deployed, the sensitivity level is set by the IT security team. The benefit of variable sensitivity settings is the ability to customize the data that is sent to the SIEM. Not every organization will have the same needs in network monitoring.
Process
When you create an event subscription, events are sent from a source (also called forwarder) computer to the collector computer. The source computer is the computer where the event is generated. The collector computer is the computer where the events are sent. Events forwarded to a collector computer can be manipulated in the event logs like any other log. Event forwarding allows you to: > Establish the criteria for identifying events to be forwarded. > Specify the log file the forwarded events are stored in on the collector. Be aware of the following processes when implementing event forwarding and subscriptions:
This application endpoint-protection rule implicitly denies unless added to the rule. Which of the following processes describes this?
Whitelisting You would choose whitelisting. Whitelisting allows an IT admin to control the applications, IP addresses, URLs, and email addresses that are allowed onto the network. Whitelisting might mistakenly fail to list a needed application and interrupt workflow. Remember, whitelisting denies access until the item is added to the whitelist. This is called implicit deny. This is part of access control and is more strict than blacklisting. Blacklisting lists the applications, IP addresses, URLs, email addresses, etc. that are to be blocked from the network. Quarantining occurs when antivirus software finds a malicious item and quarantines it. This means that the item is placed in a folder where it cannot cause any damage to the network. Content filtering is a strategy to keep employees from accessing unauthorized content on the web. Online URL filtering is based on selected objectionable content.
Whitelisting
Whitelisting allows an IT admin to control the applications, IP addresses, URLs, and email addresses that are allowed onto the network. Whitelisting can be done at the firewall, email server, or using applications that automate updates and virus protections. Whitelisting is a great tool, but it is much more labor intensive than blacklisting. Whitelisting might mistakenly fail to list a needed application and interrupt work-flow. Remember, whitelisting denies access until the item is added to the whitelist. This is called implicit deny. This is part of access control and is more strict than blacklisting.
WinARPAttacker
WinARPAttacker can scan, detect, and even attack computers on a LAN.
WinDump
WinDump is the Windows version of TCPDump.
Wireshark
Wireshark is a network protocol analyzer.
Wireshark
Wireshark is one of the most well-known packet analyzers. It is available for Windows, Mac, and Linux operating systems. Wireshark has numerous tools that can be used to capture and analyze traffic. It includes search and filtering capabilities that make it a very powerful resource. These filtering commands can be typed into the filter window. The screen will display only the filtered data. The following table lists commonly used filters:
You are worried about email spoofing. What can be put throughout an email's header that provides the originating email account or IP address and not a spoofed one?
X-headers You would choose x-headers. Do this with security devices that are designed for this purpose. These devices put X-headers throughout an email's header and provide the originating email account and IP address, not the spoofed one.
You need to find the text string New Haven in 100 documents in a folder structure on a Linux server. Which command would you use?
grep You would choose the grep command. This command searches through files for a specified character string. By default, grep is context-sensitive and displays the string in the context of the line containing the string. The chmod command assigns or removes permissions to users, groups, or others. The head command shows the first few lines of a file. The tail command shows the last few lines of a file.
You would like to add some entries into the system log file. Which command would you use?
logger You would choose the logger command. This command lets you add entries in the system log file. The grep command searches a file for a specified character string. The chmod command changes permissions for a file. The cat command lists the contents of a file.
sFlow
sFlow is a packet sampling technology that works on layers 2 - 7 of the stack. Unlike NetFlow, sFlow only can be used in sampling mode. This is a stateless packet sampling that provides information on various layers and does it quickly and efficiently.
You would like to see only the last 15 lines of /home/user/logfile on your Linux machine. Which command line interface (CLI) command would you use?
tail -n 15 /home/user/logfile You would choose the tail -n 15 /home/user/logfile command. The cat command displays the entire file. The head command only shows the first requested lines of a file. The tail -f command dynamically monitors the file by showing the last 10 lines of a file and new lines as they are added.
Virus and harmful code attacks
Tools used by threat actors to disrupt company business, compromise data, or hurt the company's reputation
12.5.10 Section Quiz
CIST 1601
12.6.8 Section Quiz
CIST 1601
Cain and Abel
Cain and Abel is a collection of tools including ARP poisoning. Cain and Abel redirects packets from a target by forging ARP replies.
You have been asked to draft a document related to evidence-gathering that contains details about personnel in possession and control of evidence from the time of discovery up through the time of presentation in court. Which type of document is this?
Chain of custody The chain of custody is a document related to evidence-gathering that contains details about personnel in possession and control of evidence from the time of discovery up through the time of presentation in court. A CPS (certificate practice statement) is a document written by a certificate authority outlining their certificate handling, management, and administration procedures. FIPS-140 is a government standard that defines procedures, hardware, and software that can be employed when performing forensic investigations of cybercrime. The rules of evidence are the restrictions that must be adhered to in order to ensure the admissibility of collected evidence.
What is the most important element related to evidence in addition to the evidence itself?
Chain of custody document The chain of custody document is the most important item related to the evidence. Nothing is more important than the chain of custody document, including photographs. Witness testimony can be helpful, but it is not more important than the chain of custody document. Completeness of the evidence is beneficial, but it is not as beneficial as a reliable chain of custody document.
Chain of custody
Chain of custody is a record of the handling of each piece of gathered evidence. This gives all parties involved confidence that the evidence has not been tampering with. The chain of custody begins immediately upon gathering the evidence. The person who gathers the evidence is responsible to secure it so that it is protected from any harmful conditions and cannot be tampered with. For example, a hard drive would need to be placed inside an anti-static bag, maybe even a Faraday bag. It would then be sealed inside an evidence bag that would have date, time, originator, and description of evidence it contains. The evidence bag would document all persons who take custody of the evidence. Evidence bags are tamper-resistant. Any signs of tampering must be investigated.
Concept | Bash | Python | Power Shell
Comment | # This line is commented out | # This line is commented out | # This line is commented out Variables | FirstName = Dana | FirstName = Dana | $FirstName = Dana Constants | InterestRate = 3.5% | InterestRate = 3.5% | $InterestRate = 3.5% Basic Arrays | numArray = (num1, num2, num3) | numArray = (num1, num2, num3) | $numArray = @(num1, num2, num3) Fetch data stored in Arrays | numArray = (num1, num2, num3)echo {$numArray[0]} | numArray = (num1, num2, num3)print {$numArray[0]} | $numArray = @(num1, num2, num3)echo $numArray[0] IF | if [@Cost-t $Balance]then# call payment function fi | if Cost<Balance:#call payment function | If ($Cost-lt $Balance) { # call payment function } IF, ELSEIF, ELSE | if [<example>] then# resultel | if[<example>] then# resultelse# resultfi if <example>:# resultelif<example>:# resultelse:# result | if (<example>){# result} elseif(<example>) {# result} else {} Loopswhile [$x -eq $dog]do# commandsdoneanimals = ["fox", "wolf", "dog"]for x in animals:print(x)if x == "dog";breakDo {# commands} While ($x-eq $dog) String OperationssampleString = "Sample String"echo ${sampleString}echo ${sampleString:0:4}echo ${sampleString/Sample/Sampling} sampleString = "Sample String"print sampleString.uppercaseprint sampleString.replace)Sample", Sampling") $sampleString - "Sample String"echo $sampleString+ "2"$sampleString.Substring(0:4)
You are configuring a source-initiated subscription on the collector computer in Event Viewer. Which of the following do you need to specify?
Computer group You would choose the computer group for a source-initiated subscription. Selecting a computer would be for the collector-initiated subscription. The Forwarded Events log is selected, not the System log. Content filtering is a strategy to keep employees from accessing unauthorized content on the web.
Event logs
Computers, servers, and other network appliances produce event logs. These logs are time stamped and show exactly what happened on a specific computer or appliance. The event log may contain the affected process, application, protocol, or other pertinent information. Caution must be exercised when retrieving any data from a system. Trying to recover event logs from a machine is dangerous. Do a bit-for-bit copy first. Recover evidence from this copy. Remember, event logs are only as accurate and reliable as the system from which they come. Therefore, you should make sure that all client computers on a network have the time set by a time server and rechecked on a regular basis.
Interviews
Conducting interviews with people involved in a computer crime is a useful tool. The interviews need to be done with caution and in a way that makes them legally admissible. All interviews should be either video recorded or audio recorded. These artifacts must be accurately time stamped and conducted in accordance with local, state, and federal laws. The interviews should be handled by legal professionals to avoid improper or inadmissible testimony. Interviews can be a powerful investigative tool if done correctly.
Storage area network (SAN)
A dedicated, high speed network of storage devices. Usually used for file shares.
Sensor
A devise that gathers data from a device or system. It provides the collected data to a monitoring system.
Incident response team charter
A document that describes the creation and function of a specialized team trained to identify malicious actions against a network. The charter documents the funding, reporting hierarchy, authority, and responsibility of the team designated to stop an attack, investigate incidents, and collect evidence.
Disaster recovery plan
A documented plan of policies and procedures that are executed in the event of a disruption of business.
Multipath
A fault-tolerance technique that gives multiple physical paths between a CPU and a mass-storage appliance.
Digital Data Collection
A forensic investigator gathers potential evidence from many software, hardware and other sources. There is an order in which the evidence needs to be gathered. The order of volatility describes the process of capturing data based on the volatility of the data. The most volatile data should be captured first followed by progressively less volitile (more persistent) data. If an attack is underway, your computer forensics response team will probably capture data as follows.
Legal hold
A formal notice sent out to all employees of a company when litigation is eminent. The notice instructs all employees to retain electronically stored information (ESI). A legal hold, also called a litigation hold.
Legal hold
A legal hold, also called a litigation hold, is a formal notice sent out to all employees of a company when litigation is eminent. The notice instructs all employees to retain electronically stored information (ESI). This includes emails, memos, invoices, and any other stored document. A legal hold also covers printed, physical copies of documents.
Application blacklisting
A list of blocked applications.
Application whitelisting
A list that has the names of applications permitted to pass through the firewall.
Redundancy
A method for providing fault tolerance by using duplicate or multiple components that perform the same function.
RAID 1 mirroring
A mirrored volume stores data to two duplicate disks simultaneously. If one disk fails, data is present on the other disk and the system switches immediately from the failed disk to the functioning disk. RAID 1: > Provides fault tolerance. Does not increase performance. > Requires two disks. > Has a 50% overhead. > Writes data twice, meaning that half of the disk space is used to store the copy of the data. > Has overhead of 1 / n where n is the price of the second disk. > Is the most expensive fault tolerant system.
Containment
A mitigation technique that puts a suspected malicious file in a place where it cannot interact with other devices on the network.
Quarantine
A mitigation technique used to separate a malicious file or application.
Communication plan
A plan to effectively communicate important company information in the case of an emergency.
Playbooks
A playbook is a checklist style document that specifies the steps to be taken in response to a threat or incident. The steps are listed in the order to be performed. A playbook ensures a consistent approach to security issues.
Damage assessment
A preliminary onsite evaluation of damage or loss caused by a security incident.
Load balancers
A process that distributes processing among multiple nodes.
Load balancing
A process that distributes processing among multiple nodes.
Some users report that frequent system crashes have started happening on their workstations. Upon further investigation, you notice that these users all have the same application installed that has been recently updated. Where would you go to conduct a root cause analysis?
Application log You would choose the application log. Most applications produce some type of event logging. These logs show application access, crashes, updates, and any other relevant information that could be valuable in conducting a root cause analysis. The application may be crashing or not performing correctly, and this could be tied to suspicious activity that may indicate malicious intent. Network logs tell you what is coming into and leaving your network. A firewall log identifies traffic that has been allowed or denied through a firewall. A security log records information related to logons, such as incorrect passwords being used and the user right usage.
Application Endpoint Protection
Applications are allowed to enter a network via a firewall. In order to keep malicious apps from entering, you must create rules that allow or deny specific applications. This process is referred to as whitelisting and blacklisting. You can also quarantine an application. The following table describes these processes.
Archived data
Archived data are documents, logs, etc. that are not used regularly and are stored on a device other than the device under forensic investigation.
Incident Plans
As part of the incident response process, you can use playbooks and runbooks together to achieve a more effective response that can be automated and include tasks that are automatically assigned to analysts to complete. These two plans can also help to meet and comply with regulatory frameworks like GDPR or NIST if necessary.
12.4 Windows Logging
As you study this section, answer the following questions: > How can rules in the correlation process help reduce the use of system resources? > How can alerts and triggers aid administrators as they resolve threats or issues? > When configuring event subscriptions, should you use Group Policy or manually define them? In this section, you will learn to: > Configure collector-initiated subscriptions. > Configure source-initiated subscriptions. > Log events with Event Viewer.
12.3 Log Management
As you study this section, answer the following questions: > What does a security information and event management (SIEM) system do? > Why are trends important for network management? > What part does event correlation play in a SIEM? > How do IT security teams use alerts? In this section, you will learn to: > Use vulnerability scan outputs as part of SIEM. > Identify trends and use them appropriately. > Identify uses for SIEM.
12.6 File and Packet Manipulation
As you study this section, answer the following questions: > What tools can you use to keep your network safe and minimize potential risks? > How can PowerShell and Python be useful to an administrator? > What are some of the most common Linux utilities used by both hackers and security analysts/system administrators? In this section, you will learn to: > Use TCPDump to capture packet data. > Use Wireshark to capture network protocol information. > Use TCPReplay to analyze attacks. > Use shells and scripting for programming and remote connection. > Use Linux commands and utilities. > Use a logging utility to manipulate and add information to log files. The key terms for this section include:
12.5 Digital Forensics
As you study this section, answer the following questions: > Why is a chain of custody important in an investigation? > What importance does a provable timeline of events play in admissibility of digital forensic evidence? > Why is it important to take a bit-by-bit copy of the logs? > How does the order of volatility help you decide what to secure and preserve first? > What is a digital forensic artifact? > How does provenance play a vital role in digital forensics? In this section, you will learn to: > Create a forensic drive image with FTK, Guymager, and DC3DD. > Examine a forensic drive image with Autopsy. The key terms for this section include:
12.7 Redundancy
As you study this section, answer the following questions: > Why is redundancy important to network security? > Why would an organization use geographic dispersal? > What are the levels of RAID and when would you use each level? > Why would a system administrator want to use load balancers? > What is an uninterrupted power supply used for? > What is the difference between active/active and active/passive? > What is the main advantage of RAID 0? Disadvantage? > What is the difference between RAID 0+1 and RAID 1+0? In this section, you will learn to: > Implement RAID. > Configure fault-tolerant volumes. Key terms for this section include the following:
12.1 Incident Response
As you study this section, answer the following questions: > Why is the chain of custody so important in a forensic investigation? > How do you ensure the integrity of collected digital evidence? > When conducting a forensic investigation, what methods can you use to save the contents of memory? > What would a computer forensic investigator analyze when conducting a live analysis compared to a dead analysis? > What actions should you take when an incident occurs? In this section, you will learn to: > Analyze and record forensic evidence. > Use a forensic tool to gather and authenticate forensic information from a system.
chmod
Assigns a special permission. Be aware of the following syntax options: [decimal_value] - Sets the permissions for the file according to the numbers represented for each mode category. - The special permission precedes the standard octal representation of a set of permissions. - Only the first number changes to identify the special permission group settings. [category] + [permission] - Adds a special permission for a user, group, or other (category) to a file. [category] - [permission] - Removes a special permission for a user, group, or other from a file. Examples: chmod 4 xxx - Sets the set owner userid (SUID). chmod u+s - Sets the SUID. chmod u-s - Removes the SUID. chmod 2 xxx - Sets the set group ID (SGID). chmod g+s - Sets the SGID. chmod 1 xxx - Sets the sticky bit. chmod u+t - Sets the sticky bit. chmod u-t - Removes the sticky bit. chmod 6 xxx - Sets both the SUID and SGID. chmod 7 xxx - Sets the SUID, GUID, and sticky bit.
Which of the following is an important aspect of evidence-gathering?
Back up all log files and audit trails. When gathering evidence, it is important to make backup copies of all log files and audit trails. These files help reconstruct the events leading up to the security violation. They often include important clues to the intruder's identity. Users should not have access to compromised systems while evidence-gathering is taking place. Along the same lines, damaged data should not be restored, nor transaction logs purged, while evidence-gathering is taking place.
After an intrusion has occurred and the intruder has been removed from the system, which of the following is the best step or action to take next?
Back up all logs and audits regarding the incident. The first step after an intrusion is to retain the documentation about the incident. Making backups of the logs and audits ensures that future investigations have sufficient information regarding the incident. If you were unable to discover the identity of the perpetrator or means of attack, future review of the evidence or comparison with other incidents may reveal important details or patterns. After audit trails are secured, repair damage, deploy new countermeasures, and then update the security.
Blacklisting
Blacklisting is the opposite of whitelisting. An IT admin can list the applications, IP addresses, URLs, email addresses, etc., that are to be blocked from the network. This can also done at the firewall, email server and application. Blacklisting is considered easier to do since the lists tend to be smaller. It is also possible to subscribe to blacklists produced by security companies. These lists are updated regularly, sometimes daily. These subscription blacklists are compiled from information provided by thousands of companies that report malicious applications, IP addresses, and email addresses. This makes using blacklisting easy and automated. The best practice for utilizing blacklisting is to integrate a next-gen security platform that offers a cloud-based master database of threats.
You are in charge of making sure the IT systems of your company survive in case of any type of disaster in any of your locations. Your document should include organizational charts, phone lists, and order of restore. Each business unit should write their own policies and procedures with guidelines from corporate management. Which of the following documents should you create for this purpose?
Business continuity plan You would make a business continuity plan. More detailed and longer than a disaster recover plan, a business continuity plan has procedures and policies for each business unit. The policies and procedures are written by each business unit with guidelines from corporate management. This document includes organizational charts, phone lists, order of restore, and vendor contact information. A disaster recovery plan is similar and is used for documenting a plan for policies and procedures that are executed in the event of a disruption of business. However, this type of plan is much less involved than the business continuity plan. A communication plan is written to effectively communicate important company information in the case of an emergency. An incident-response team charter simply describes the creation and function of a specialized team trained to identify malicious actions against a network.
Event saving
By default, events received from source computers are saved in the Forwarded Events log.
12.1.5 Section Quiz
CIST 1601
12.2.5 Section Quiz
CIST 1601
12.3.11 Section Quiz
CIST 1601
12.4.6 Section Quiz
CIST 1601
You want to store your computer-generated audit logs in case they are needed in the future for examination or to be used as evidence in the event of a security incident. Which method can you use to ensure that the logs you put in storage have not been altered when you use them in the future?
Create a hash of each log. Use a hash to verify that the contents of a log have not been altered. When you analyze the logs, take another hash and compare the new hash to the original one. If the hashes match, the logs have not been altered. Storing logs offsite makes them harder to access and alter, and this prevents a disaster at your main location from destroying the logs. Encrypting the logs protects the log confidentiality but does not prevent them from being altered, nor can it prove that the logs have not been altered. Creating two copies of the logs ensures that a single disaster does not destroy the logs. Comparing both logs to make sure they match does not guarantee that someone didn't alter both copies. In addition, if a disaster destroys one copy of the logs, you would not have a way to verify that the remaining copy has not been altered.
Sensitivity
Customized threshold for sensor data that is sent to the SIEM.
You suspect cache poisoning or spoofing has occurred on your network. Users are complaining of strange web results and being redirected to undesirable sites. Which log would help you determine what is going on?
DNS logs You would take a look at the DNS logs for DNS cache poisoning. After this, you can begin monitoring DNS query traffic. Network logs cannot help you with spoofed host name resolution. Application logs do not help you determine DNS poisoning. Security logs do little to help you identify spoofing.
Which of the following BEST describes a constant?
Data or a value that does not change. A constant is data or a value that does not change (unlike a variable). A variable is a named unit of data that is assigned a value. An array is a group of related data values or elements that are grouped together. A string is a sequence of characters. Strings exist as either a literal constant or as some kind of variable.
Isolation, Containment, and Segmentation
Data, whether good or malicious, must be handled correctly. You can use isolation and containment for malicious or suspect data. You can use segmentation as a strategic network architecture tool to prevent outside data from accessing internal network appliances.
Which two types of service accounts must you use to set up event subscriptions?
Default machine account Specific user service You would choose a default machine account and specific user service account. Either type of account must be a member of either the Source Computers Event Log Readers group (the most secure choice) or a member of the Local Administrators group.
You set up Event Subscription, but you are getting an overwhelming amount of events recorded. What should you do?
Define a filter You would choose define a filter. If a filter is not defined, all events are collected. Subscription type is required, but it does not influence the amount of events collected. Using the Runtime Status link only verifies communications are working. Using the default machine account is useful for the type of service account, but does not influence the amount of events collected.
Firewall rules
Define how a firewall is configured. The natural state of firewall is implicit deny, meaning that communication must be allowed by a network admin. Firewall rules specify the data that can enter or leave the internal network. These rules are the frontline security for the network and must be carefully configured.
Provenance
Demonstrates that the digital evidence gathered came from the documented origin.
Redundant Array of Independent Disks
Depending on the configuration, a RAID array can improve performance, provide fault tolerance, or both. RAID can be implemented through hardware, using a special RAID disk controller, or software. Hardware RAID is more expensive, but provides much better performance than software RAID.
During a recent site survey, you found a rogue wireless access point on your network. Which of the following actions should you take first to protect your network while still preserving evidence?
Disconnect the access point from the network. The first step in responding to an incident is to take actions to stop the attack and contain or limit the damage. For example, if an attack involves a computer system attached to the network, the first step might be to disconnect the system from the network. Although you want to preserve as much information as possible to assist in later investigations, it might be better to stop the attack, even if doing so alerts the attacker or results in the loss of evidence regarding the attack. After containing a threat, a forensic investigation can be performed on computer systems to gather evidence and identify the methods used in the attack.
cat
Displays the contents of a file in the shell. This command can display multiple files at once. cat myfile - Displays the contents of myfile. cat myfile yourfile - Displays the contents of myfile and yourfile together.
When you conduct a forensic investigation, which of the following initial actions is appropriate for preserving evidence?
Document what is on the screen. Preserving evidence while conducting a forensic investigation is a trade-off. Any attempt to collect evidence may actually destroy the very data necessary to identify an attack or attacker. Of the choices given, documenting what is on the screen is the least intrusive and the least likely to destroy critical evidence. Halting, disassembling, or stopping running processes may erase the data you need to track the intruder.
You are conducting a forensic investigation. The attack has been stopped. Which of the following actions should you perform first?
Document what is on the screen. Preserving evidence while conducting a forensic investigation is a trade-off. Any attempt to collect evidence may actually destroy the very data necessary to identify an attack or attacker. Of the choices given, documenting what's on the screen is the least intrusive and the least likely to destroy critical evidence. Halting, disassembling, or stopping running processes may erase the data you need to track the intruder.
You suspect a bad video driver is causing a user's system to randomly crash and reboot. Where would you go to identify and confirm your suspicions?
Dump files You would choose dump files. Dump files are created when an application, OS, or other computer function stops abruptly. These files help IT admins perform root-cause analysis and can also give clues as to the crash's origin. This could be something as commonplace as a bad driver or hardware component. Or, unfortunately, it may prove to be the result of a malicious act. Syslog is a protocol that defines how log messages are sent from one device to a logging server on an IP network. The sending device sends a small text message to the syslog receiver (the logging server). App logs show application access, crashes, updates, and any other relevant information that could be valuable in determining root-cause analysis. Session Information Protocol (SIP) logs contain key information about where a phone call was initiated and what the communication's intent was.
Else if
Else if, is a conditional statement performed after an if statement that, if true, performs a function.
Else
Else is a conditional statement that if previous conditions are not true displays alternate information or performs alternate commands.
Email metadata
Email provides metadata that is used to trace email. All emails come with a header that contains information about both the sender and recipient. Parts of the headers can be spoofed giving investigators false information. However, there are security devices that put X-headers throughout an email's header. These provide the originating email account and IP address not the spoofed one.
Endpoint Security Configuration
Endpoint security requires constant maintenance. This may mean changing an endpoint security configuration to improve the security posture. The following table describes tools you can use to enhance endpoint security.
Comparison | Bash | Python | PowerShell
Equal | -eq | == | eq Not Equal | -ne | != or <> | ne Greater Than | -gt | > | gt Greater or Equal | -ge | >= | ge Less Than | -lt | < | lt Less or Equal | lle | <= | le
You would like to get a feel for the amount of bandwidth you are using in your network. What is the first thing you should do?
Establish a baseline. You would choose to establish a baseline. Baselines provide a reference for normal and abnormal activity. After establishing a baseline, you would create data points. To help create data points, you can set up intervals in minutes, hours, days, weeks, months, or years. Longer monitor runs equal more data points. There is no need to define a protocol.
Etherflood
Etherflood is a tool that can flood a switched network with random MAC addresses.
Ettercap
Ettercap has multiple sniffing functions and can be used for ARP poisoning, passive sniffing, packet grabbing, and protocol decoding.
Source-initiated
For source-initiated subscriptions, the source computer initiates the transfer to the collector computer. This type of subscription is most efficient in environments with a large number of source computers. *To increase efficiency, you can use Group Policy to automatically push event subscription configuration settings to the source computers. To prepare source computers to use source-initiated subscriptions: 1. On the source computer, run the winrm qc -q command to start the Windows Remote Management service. 2. On the source computer, configure and enable the Event Forwarding policy through Group Policy or the local security policy. Specify the collector computer's FQDN. 3. On the collector computer, run the winrm qc -q command to start the Windows Remote Management service. 4. On the collector computer, run the wecutil qc /q command to start Windows Event Collector Service. 5. In Active Directory or on the collector computer, add the source computers to a computer group.
Source-initiated subscriptions
For source-initiated subscriptions, you configure event forwarding using the Configure target Subscription Manager Group Policy setting under Computer Configuration > Administrative Settings > Windows Components > Event Forwarding. This setting configures the source computers to forward events to the specified collector computer. *For collector-initiated subscriptions, you must manually define each source computer name in the event subscription.
Sequence of Events
Forensic investigations require that an accurate and provable sequence of events be established. There are several items that help to create this accurate narrative.
By default, events received from the source computers in Event Subscription are saved in which log?
Forwarded Events log By default, events received from source computers are saved in the Forwarded Events log. There are application security logs, event security logs, and security logs for specialty applications, such as IDS/IPS, endpoints, firewalls, routers, and switches.
For source-initiated subscriptions, which tool do you use to configure event forwarding?
Group Policy You should use Group Policy and use the Configure Target Subscription Manager Group Policy setting. The service account only provides permissions to run properly. Event forwarding settings for source-initiated subscriptions are unavailable in Event Viewer. Filters define what is collected. They do not enable and configure event forwarding.
Which method can you use to verify that a bit-level image copy of a hard drive is an exact clone of the original hard drive collected as evidence?
Hashing Hashing is the method used to verify that a bit-level image copy of a hard drive is an exact clone of the original hard drive collected as evidence. File directory listings, photographs, and serial number notation are not sufficient methods for verifying hard drive cloning.
IPfix
IPfix directly integrates data that normally goes to Syslog or SNMP. This eliminates additional services collecting data from each network device. IPfix has provisions for fields that are variable length, meaning that there are no ID number restrictions. IPfix addresses the need for a standardized protocol for internal protocol flows. This data comes from routers, servers, and other network appliances that are mediation systems. The data is formatted, sent to an exporter, and then sent to a collector. IPfix, like NetFlow, looks at flow and the number of packets being sent and received during a given session.
Filters
If a filter is not defined, all events are collected.
Collector-initiated
In collector-initiated subscriptions, a collector computer sends to the source computer a message requesting the event logs. Collector-initiated subscriptions require that manual configuration settings be made on each source computer. Accordingly, use this type of subscription only if you have a limited number of source computers that forward events. To prepare source computers to use collector-initiated subscriptions, take following steps: 1. On the source computer, run the winrm qc -q command to initiate the Windows Remote Management service. 2. On the source computer, add the collector computer account to the local Event Log Readers group. You must also add a user account with administrative privileges to the Event Log Readers group. 3. On the collector computer, run the wecutil qc command to run Windows Event Collector Service. *You must also run winrm qc on the collector. It will use delivery optimization options other than the default.
Extra Information
In the last 30 years technology has changed dramatically. With the increase of digital devices there is an equal increase in the number of devices that may require forensic examination. These devices can contain the evidence a forensic investigator needs. Each smart phone, tablet, laptop, and smart watch shares common elements, namely RAM, CPU, logs, and storage space. A trained investigator must be familiar with all platforms. Network forensic data plays an important role in an investigation. Network appliances that can be important in a forensic examination include: firewalls, routers, switches, domain controllers, DHCP servers, application servers, and web proxy servers. Also included are network applications including intrusion detection and intrusion protection systems.
Incident Response Process
Incident response is the action taken to stop an incident in process, collect all data relative to an incident, and implement the appropriate response. An incident response process helps an organization to prevent additional damage from an incident, collect data to be used in the prosecution of the threat actor, and mitigate the damage of an incident. An incident response process should: > Define what is considered an incident. > Identify who should handle the response to the incident. This person is designated as the first responder. > Describe what action should be taken when an incident is detected. Provide a detailed outline of steps to efficiently and effectively handle an incident while mitigating its effects. > Explain how and to whom an incident should be reported. > Explain when management should be notified of the incident and also outline ways to ensure that management is well-informed. > Be legally reviewed and approved. > Be fully supported by senior management and administration with appropriate funding and resources such as camera equipment, forensic equipment, redundant storage, standby systems, and backup services.
Match each network sniffing method with the correct definition.
MAC spoofing Allows an attacker's computer to connect to a switch using an authorized MAC address. MAC flooding The process of intentionally overwhelming the CAM table with Ethernet frames, each originating from a different MAC address. ARP poisoning The MAC address of the attacker can be associated with the IP address of another host. Port mirroring Creates a duplicate of all network traffic on a port and sends it to another device. MAC spoofing allows an attacker's computer to connect to a switch using an authorized MAC address. MAC flooding is the process of intentionally overwhelming the CAM table with Ethernet frames, each originating from a different MAC address. With ARP poisoning, the MAC address of the attacker can be associated with the IP address of another host. Port mirroring creates a duplicate of all network traffic on a port and sends it to another device.
MITRE ATT@CK
MITRE ATT@CK is a universally accessible database. This database contains techniques, tactics and other operational information about malicious actors. This data has been gathered and aggregated using empirical observations. All of this data are available to anyone for free.
Internal stakeholders
Maintain an open dialogue with all internal departments about development, implementation, testing, etc., of incident response.
As a security analyst, you are configuring your environment to be able to properly gather digital forensic information. Which of the following must be set up to help create a timeline of events?
Make sure all client computers have their time set accurately by a time server. You would choose to make sure that all client computers have their time set accurately by a time server. Event logs are only as reliable as the system they come from. These logs show exactly what happened on a specific computer and are also timestamped. These timestamps provide the backbone for a timeline of events, which allows the evidence to be admissible. You should also configure the correct time offset by setting the correct time zone.
Metadata
Metadata is produced by almost all network activity. Server requests, applications, and email are some examples of where metadata can be found. In the context of bandwidth monitors, metadata is used to investigate security related concerns or incidents. The following table describes three types of metadata.
As a security analyst, you suspect a threat actor used a certain tactic and technique to infiltrate your network. Which incident-response framework or approach would you utilize to see if other companies have had the same occurrence and what they did to remedy it?
Mitre Att@ck You would use the Mitre Att@ck framework. This is a universally accessible, free database that contains techniques, tactics, and other operational information about malicious actors. The Diamond Model of Intrusion Analysis defines adversary, victim, capabilities, and infrastructure. This model does not consider attacks other companies have experienced. The Cyber Kill Chain exists to provide visibility to the hurdles of a malicious actor and make it easier to defend your assets. Communicating with stakeholders would not produce solutions that other companies have created to fight the same threat.
As a security analyst, you have discovered the victims of an malicious attack have several things in common. Which tools would you use to help you identify who might be behind the attacks and prevent potential future victims?
Mitre Att@cks Diamond Model of Intrusion Analysis You would choose the Diamond Model of Intrusion Analysis and use the Mitre Att@cks database to help you. For example, by identifying the types of victims and why they were attacked, the analyst/first responder can make an educated guess as to who is behind the attack and who are potential victims. This information can then be used to compare information in the Mitre Att@cks database. Since there are always unknowns, the database helps to fill in some of them. Cyber Kill Chain provides visibility to the hurdles a malicious actor must overcome to carry out his or her attack. This makes the malicious actor's moves highly visible to a first responder or security analyst and is valuable in the defense of assets. Disaster recovery plans do not include an analysis of threats and victims. While stakeholder management is important, it won't assist you in analyzing future threats.
You need to remotely wipe an android phone for one of your rogue users. Which endpoint tool would you use?
Mobile device management (MDM) You would choose mobile device management (MDM). MDM offers a way to easily monitor and manage mobile devices. This includes updates, data encryption, and remote wipes of a compromised device. MAM lets a system administrator publish, push, configure, secure, monitor, and update mobile apps. It does not provide options to remotely wipe a device. MAM-WE is the same as MAM, but it includes enrollment into a third-party enterprise mobility management (EMM) provider. Sensitive data can be managed on any device, including personal devices. Quarantining has to do with antivirus software finding a malicious item and isolating it or a network endpoint.
Mobile device management (MDM)
Mobile devices now outnumber traditional network devices. These endpoints present unique challenges since the devices are not physically protected by locked office doors. MDM offers a way to easily monitor and manage mobile devices including updates, data encryption, and remote wipe of a compromised device.
NetFlow
NetFlow is a feature on Cisco routers. It works at layers 2 - 4. It can examine each data flow that comes through the network or it be set to sample sessions at certain intervals.
Data Analyzers
Network admins should always looking for a way to examine what is happening inside the network. There are a number of tools to help sift through the tremendous amounts of data generated by network activity. The following table describes some of these tools.
Switched Network Sniffing
Networks that include switches can provide an initial challenge to an attacker because switches prevent sniffing an entire network. The following table lists methods an attacker can use to sniff out portions of a network.
Subscription configuration
On the collector, you configure a subscription in Event Viewer. You must specify: > A subscription name. > The destination log (usually Forwarded Events). > The subscription type (collector-initiated or source-initiated). > The computer (for a collector-initiated subscription) or the computer group (for a source-initiated subscription). > The filter criteria for selecting the events to forward.
Reports
Once the analysis of the evidence is done, you must report the findings. You should present the information in a well-written document that is legally appropriate and defensible. Therefore, you should probably engage the services of a lawyer to write this document to make sure it's done correctly. This document needs to be self-contained, meaning that all necessary information necessary is in the document. It shouldn't contain references or links to other documents. Everything needed is in the document itself. It should: > Describe the incident. > Describe the computer forensics team's response. > Report what happened during the acquisition of evidence. > Describe how the evidence was analyzed. > Report what was found in the evidence.
TCPReplay
One of the most critical aspects of a cybersecurity plan is testing. Organizations may employ white-hat hackers to attempt attacks and report their findings so network managers can reconfigure security devices, address vulnerabilities, and mitigate potential risk. One tool that can be used to simulate attacks is TCPReplay. Once a packet capture is performed by TCPDump or Wireshark, it can be sent out again and again to test devices such as firewalls, IDS/IPS, and NetFlow, as well as infrastructure equipment such as switches and routers. Using TCPDump or Wireshark, a simulated attack can be executed to capture packets. After manipulating the packet capture as needed, you can test defensive equipment replaying the attack with TCPReplay. After the test, you can analyze the results for alerts, detection, or prevention. The test will identify remediation points and areas that need reconfiguration. After remediation, the test can be replayed again, and the results are reevaluated. This can happen multiple times until network management deems the vulnerability closed. TCPReplay has several switches and options, a few of which you'll find in the following table. Operator | Description -K | Takes information from the packet capture file and preloads it into RAM for faster access. Use this only if your system contains enough RAM. -M | Replays packets at a given Mbps (megabits per second) rate. This parameter can be used to throttle the output. -L number | Limits the number of packets sent. This can be used for limited tests to ensure that the system is set up correctly and to perform a quick end-to-end test. -d number | Enables the verbosity for debug output. Used along with the enable-debug flag, the number can be in the range of 0 through 5. Higher numbers increase verbosity. TCPReplay can be a helpful tool used to test the success or failure of security equipment and infrastructure. When used correctly, it provides network management with the information needed to keep an organization as safe as possible against attack. It provides vulnerability data that can be remediated and tested again until the risk is minimized.
Which of the following BEST describes PuTTy?
Open-source software that is developed and supported by a group of volunteers. PuTTY is open-source software that is developed and supported by a group of volunteers. Secure Sockets Layer (SSL) is a method that provides an encryption standard that's widely used by internet websites. A scripting language is a programming language made for a special runtime environment that automates the execution of tasks. A shell refers to the mechanism that allows you to interact with the operating system directly.
Public Key Infrastructure (PKI)
PKI provides a system for the secure transmission of data. One component of PKI is the use of a key pair, one public and one private, that can be used to encrypt data. It also uses certificates to verify identity.
Packet capture
Packet capture is the process of collecting Layer 3 (Network layer, such as IP address) information, over the wire.
Packet Capturing
Packet capturing, also referred to as sniffing, is the process of collecting information as it crosses the network. Sniffing is similar to eavesdropping or wiretapping. It can be active or passive. Monitoring traffic is passive sniffing. Altering traffic in any way is active sniffing. For sniffing to be effective, the network interface must be in promiscuous mode. Normally, an interface is set to grab frames that are directed only to its own MAC address. Turning on promiscuous mode gives the interface permission to grab every frame that comes its way, even if the frame is addressed to someone else. A lot of information can be gathered during this process. Attackers examine each packet closely to see which ones are useful. There are several tools an attacker can use to make this job much easier, But's important to know what attackers focus on. One key area of focus is packets that are sent with less-secure protocols. Many protocols were designed with the concept that encryption happens at another layer. For example: > SMTP was designed to deliver an email message without encrypting it. > POP3 was designed to retrieve emails, therefore passwords and usernames are easy to intercept from it. > FTP was designed to transmit files; all FTP traffic is sent in clear text. > IMAP, HTTP, and Telnet send passwords and data using clear text.
Trend
Patterns of activity discovered and reported to the SIEM.
You would like to enhance your incident-response process and automate as much of it as possible. Which of the following elements would you need to include? (Select two.)
Playbooks Runbooks You would choose runbooks and playbooks. Runbooks are a condition-based series of protocols you can use to establish automated processes for security-incident response. A playbook is a checklist style document that specifies the steps to be taken in response to a threat or incident. The steps are listed in the order to be performed. A playbook ensures a consistent approach to security issues. Whitelisting allows an IT admin to control the applications, IP addresses, URLs, email addresses, etc. that are allowed onto the network. Blacklisting is the opposite of whitelisting. Quarantining is when antivirus software finds a malicious item and quarantines it in a special folder.
TCPDump
TCPDump is a command line sniffer designed for the Linux environment. This tool filters the contents of packets going through a network interface. TCPDump has several switches and options, a few of which you'll find in the following table. Operator | Description -i | Puts an interface into listening mode. -w | Specifies the file the data should be saved in. -a | Requests that ASCII strings are included in the output. -x | Requests that ASCII and hexadecimal strings are included in the output. -v | Turns on verbosity. -n | Turns off DNS lookups. dst | Requests that all traffic going to a specified destination is captured. src | Requests that all information coming from a specified source is captured. host | Requests that all traffic going to a specified destination and from a specified source is captured. pcap | Requests that captured content be saved to a specified file.
You would like to simulate an attack on your network so you can test defense equipment and discover vulnerabilities in order to mitigate risk. Which tool would you use to simulate all the packets of an attack?
TCPReplay You would use TCPReplay. You could use TCPDump or Wireshark to capture the packets, but you would use TCPReplay to actually replay and simulate the attack. Etherflood is a tool that can flood a switched network with random MAC addresses.
TCPReplay
TCPReplay is a tool you can use repeatedly simulate an attack.
Mobile metadata
Tablets, laptops, smart phones, smart watches, and any other device that connects to the internet and can be moved around produces mobile metadata. These devices send emails, text-messages, and use apps. All of these produce metadata that can be used to identify people, places, times, and even deleted data. Pictures can be timestamped and geolocation stamped. Much of this metadata also reveals origination of the data and the sender.
ARP poisoning
The Address Resolution Protocol (ARP) maps IP addresses to MAC addresses and provides the most efficient path for data transmission. ARP broadcasts are permitted to freely roam the network. An attacker can use the free flow of traffic for an advantage. By sending spoofed messages onto a network, the MAC address of the attacker can be associated with the IP address of another host, preferably the default gateway. As a result, the target machine will send frames to the attacker's system, thinking that it is the gateway. The attacker will then typically forward the frame to the original destination.
Cyber Kill Chain
The Cyber Kill Chain was developed by Lockheed Martin to identify and provide visibility of the hurdles a malicious actor must overcome to achieve the objective to exploit or attack. This makes the malicious actor's moves highly visible to a first responder or security analyst and is valuable in the defense of assets. The following seven steps of an attack help a security analyst to identify the phases of an attack in progress. > Reconnaissance > Weaponization delivery > Delivery > Exploitation > Installation > Command and control > Action on objectives
Diamond Model of Intrusion Analysis
The Diamond Model has four points; adversary, victim, capabilities and infrastructure. There is always a direct connection between adversary and victim. There is also a direct connection between capabilities and infrastructure. The way this model is used is very much up to the security analyst. Normally the analysts and first responders use these points (called meta or core features) to find and predict attacks. For example, by identifying the types of victims and why they were attacked, the analyst/first responder can make an educated guess as to who is behind the attack and who are potential victims. This information can then be used to compare information in the MITRE ATT@CK database. Since there are always unknowns, the database helps to fill in some of the unknowns.
SSH (Secure Shell)
The SSH (Secure Shell) protocol is used to secure and encrypt the connection between a client and a server, or other remote device. All user authentication, commands, output, and file transfers are encrypted to protect against attacks in the network. To use SSH, you need an SSH terminal emulator such as PuTTY. PuTTY is an SSH and Telnet client, developed originally for the Windows platform. PuTTY is open source software that is developed and supported by a group of volunteers. PuTTY is just one example of a terminal emulator. SSH can be used for many applications across different platforms including Linux and Windows. SSH can be used for such things as: > Logging in to a shell on a remote host, Linux, firewalls, and other network device. > Executing commands on a remote host. > Setting up automatic (passwordless) login to a remote server. > Securing file transfer protocols.
Fault tolerance
The ability to respond to an unexpected hardware or software failure without loss of data or loss of operation.
Incident response
The action taken to deal with an incident, both during and after the incident.
Collector-initiated subscriptions
The collector computer intiates the collection of events from various source computers.
SIEM dashboards
The dashboard is a common component of all SIEM systems. The dashboard consists of customizable information screens that show real-time security and network information. The information in real time allows the IT security team to effectively monitor and respond to events on the network.
Hard drive
The data on the hard disk drive is a key piece of evidence in a computer forensics investigation. A lot of the things that we do on a computer system are saved in some way on the hard disk drive, including data in virtual memory. A wealth of data is there. In addition, information attached to deleted files may still be on the disk. Therefore, the hard drive itself is a gold mine of evidence for a prosecutor. Caution must be exercised when making a copy of the disk. A regular file-for file-copy is not good enough. It needs to be a sector-by-sector copy that includes formerly deleted but still accessible data.
First responder
The first person on the scene after a security incident has occurred.
File Viewing Commands
The following commands can be used to control how Linux files are viewed:
Additional Sniffing Tools
The following table describes additional tools.
Implement Secure Network Designs
The following table describes secure network designs.
Source-initiated Subscription
The source system initiates the collection of events.
Bash, Python, and PowerShell
The table below compares code samples of Bash, Python, and PowerShell.
Key Areas of Digital Forensics
There are procedures you must follow when you gather and preserve evidence. Any of these procedures could make or break your legal case. Learning how to go about this evidentiary process is vital to any electronic forensic investigation. Become familiar with procedures related to the following areas.
Unethical gathering of competitive information
This is also known as corporate espionage. The goal is to obtain proprietary information in order to obtain a competitive advantage or steal clients.
12.2.2 Reconfigure and Protect Endpoints Facts
This lesson covers the following topics: > Application endpoint protection > Endpoint security configuration
12.1.4 Incident Response Frameworks and Management Facts
This lesson covers the following topics: > Attack frameworks > Stakeholder management > Internal policies
12.3.10 Monitoring Data and Metadata Facts
This lesson covers the following topics: > Bandwidth monitors > Metadata > Data analyzers
12.6.2 Manipulating Files Facts
This lesson covers the following topics: > File viewing commands > File management commands
12.7.2 Redundancy Facts
This lesson covers the following topics: > Implement secure network designs > Manage redundant power options
12.2.4 Isolate and Containment Facts
This lesson covers the following topics: > Isolation, containment, and segmentation > ISecurity orchestration, automation and response (SOAR) > IIncident plans
12.5.9 Forensic Investigation Facts
This lesson covers the following topics: > Key areas of digital forensics > Sequence of events > Digital data collection
12.6.7 Packet Capture Facts
This lesson covers the following topics: > Packet capturing > Switched network sniffing > Wireshark > TCPDump > TCPReplay > Additional sniffing tools
12.1.2 Incident Response Process Facts
This lesson covers the following topics: > Security incident > Incident response process
Time offset
Time offset refers time on a computer or device compared to Greenwich Mean Time (GMT). All offsets use GMT as a baseline from which you are either + or - a number of hours. For example, if your computer is set to Mountain Daylight Time, then it is -7 hours or GMT -06:00. Because a computer will use different formats to record time stamps, you must understand the offset needed to show consistency. In a Windows NTFS file system, all time stamps are logged using GMT not the local time zone. Documents manipulated within the NTFS will show local time within the document but GMT when retrieved.
Time stamps
Time stamps provide an exact date and time of an event. The event could be when a document is created, edited, moved, or downloaded. It could be when a video is captured or a picture is taken. Time stamps also apply to emails, instant messages, video downloads, video uploads, and data packets extracted from a network. A time stamp must be accurate for admissibility. An inaccurate or missing time stamp creates doubt and can lead to evidence being inadmissible. It is important for you to ensure that all servers, wireless access points, security cameras, and physical entry points are recording time stamps correctly.
What is the purpose of audit trails?
To detect security-violating events. The purpose of audit trails is to detect security-violating events or actions. Auditing itself is used to prevent security breaches, and audit trails are used for detective control. Neither auditing nor audit trails correct problems or restore systems to normal operations. That is done by the IT staff that inspects the contents of audit trails and creates a solution that is then implemented into the environment via the security policy.
Bandwidth Monitors
Today's bandwidth monitors provide a broader array of functions than simply monitoring the volume and speed of internet traffic. Bandwidth monitors can help you understand network usage, the protocols being used, users who consume a lot of bandwidth, and who is communicating on the network. When you use a bandwidth monitor, you will: > Establish and update baselines. Baselines provide a reference for normal and abnormal activity. > Create data points. To be useful and accurate, a baseline requires thousands of data points. Data points are customizable. > You can set connectivity, file activity, and access attempts and failures. > Set intervals. You can set intervals in minutes, hours, days, weeks, months, or a year. Longer monitor runs equal more data points.
12.7.6 Configure Fault-Tolerant Volumes
You are the IT administrator for a small corporate network. You have installed the Windows Server 2019 operating system on a server named CorpServer2. During this installation, you created a single partition that took up the entire first disk. You would like to add fault tolerance to the system volume and create an additional fault tolerant volume for storing data. Four additional, uninitialized hard disks have been installed in the server for this purpose. In this lab, your task is to complete the following: > To add fault tolerance for the System (C:) volume, create a mirrored volume using Disk 1. > Create a new volume that provides both fault tolerance and improved performance using the following settings: Disks: Disk 2, Disk 3, and Disk 4 Volume size: 2048000 MB (2 TB) Drive letter: R Format: NTFSVolume label: Data *You cannot create a RAID 5 volume from an existing volume. Complete this lab as follows: 1. Mirror an existing volume as follows:Right-click Start and then select Disk Management.Select OK to initialize new disks.Maximize the Disk Management window to better view the volumes.Right-click the System (C:) volume and select Add Mirror.Select Disk 1. This is the disk that will be used for the mirrored copy.Select Add Mirror.Select Yes to convert the basic disk to a dynamic disk. 2. Create a RAID 5 volume as follows:From Disk Management, right-click a Disk 2 with free space and select New RAID 5 Volume.Select Next.Under Available, hold down the Ctrl key and then select Disk 3 and Disk 4 to be part of the new volume with Disk 2.Select Add.Select Next.Using the Assign the following drive letter drop-down, select R and then click Next.Make sure that NTFS is selected as the file system.Change the Volume label field to Data and then select Next.Select Finish to create the volume.Select Yes to convert the basic disk to a dynamic disk.
Type of service account
You can use one of the following options for the type of service account that will be used by the subscription: > Default machine account > A specific user service account *Either type of account must be a member of either the Source Computers Event Log Readers group (the most secure choice) or a member of the local Administrators group.
For some reason, when you capture packets as part of your monitoring, you aren't seeing much traffic. What could be the reason?
You forgot to turn on promiscuous mode for the network interface. The most likely reason is that you forgot to turn on promiscuous mode for your network interface. Turning on promiscuous mode gives the interface permission to grab every frame that comes its way, even if the frame is addressed to someone else.
Stakeholder Management
You might use a table to organize communication pathways with stakeholders. The table should use the proper html class attributes. The header row of the table should use class=header. At least one paragraph should be included before the table.
Configuration
You must configure both the source and collector computers for event forwarding: > On the source and collector computers, start Windows Remote Management service. > On the collector computer, start the Windows Event Collector service. > On the source computers, configure a Windows Firewall exception for HTTP or HTTPS.
Your browser has blocked your from your crucial secure intranet sites. What could be the problem?
Your SSL certificate status has been revoked. Your SSL certificate status has been revoked. CAs can revoke certificates for any number of reasons. Many browsers block websites with invalid certificates. HTTP would not be possible when the websites are requiring SSL connectivity (HTTPS). Content filtering is a strategy to keep employees from accessing unauthorized content on the web, not internally on intranet sites. The firewall rule would only affect users going out to the internet or traffic flowing in. This would not apply to intranet sites within the corporate network.
Internal Policies
Your company should have internal policies in place to handle incidents and respond to them appropriately. The following table describes a few of these policies.
