Chapter 17: Performing Incident Response

Some general guidelines for configuring egress filtering are:

-Allow only authorized application ports and, if possible, restrict the destination addresses to authorized Internet hosts -Restrict DNS lookups -Block access to "known bad" IP address ranges -Block access from any IP address space that is not authorized for use on your local network. -Block all Internet access from host subnets that do not need to connect to the Internet

In this stage of the kill chain the attacker typically uses the access he has achieved to covertly collect information from target systems and transfer it to a remote system (data exfiltration). An attacker may have other goals or motives, however.

Actions on objective

A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and procedures.

Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)

This terminology is used for government facilities, but is functionally similar to business continuity planning. In some definitions, it refers specifically to backup methods of performing mission functions without IT support.

Continuity of Operation Planning (COOP)

This phase analyzes the incident and responses to identify whether procedures or systems could be improved. It is imperative to document the incident. The outputs from this phase feedback into a new preparation phase in the cycle.

Lessons learned

This can be seen as a special class of incident where the organization's primary business function is disrupted. It requires considerable resources, such as shifting processing to a secondary site and will involve a wider range of stakeholders than less serious incidents.

Disaster recovery plan

In this stage of the kill chain he weaponized code is executed on the target system by this mechanism. For example, a phishing email may trick the user into running the code, while a drive-by-download would execute on a vulnerable system without user intervention.

Exploitation

When a suspicious event is detected, it is critical that the appropriate this person on the CIRT be notified so that they can take charge of the situation and formulate the appropriate response.

First responder

Off-the-Record (OTR), Signal, or WhatsApp, or an external email system with message encryption (S/MIME or PGP) are good for

For file and data exchange

In this stage of the kill chain this mechanism enables the weaponized code to run a remote access tool and achieve persistence on the target system.

Installation

This involves removing an affected component from whatever larger environment it is a part of. A simple option is to disconnect the host from the network completely. If a group of hosts is affected, you could use routing infrastructure to one or more infected virtual LANs (VLANs) in a black hole or use firewalls or other security filters to prevent infected hosts from communicating.

Isolation

A model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion.

Kill Chain

This is the stage that makes the system resilient to attack in the first place. This includes hardening systems, writing policies and procedures, and setting up confidential lines of communication. It also implies creating incident response resources and procedures.

Preparation

Stages of incident response or the principal stages in an incident response life cycle

Preparation -> Identification -> Containment -> Eradication -> Recovery -> Lessons Learned

In this stage of the kill chain the attacker determines what methods to use to complete the phases of the attack and gathers information about the target's personnel, computer systems, and supply chain.

Reconnaissance

Stages of the cyber kill chain

Reconnaissance -> Weaponization -> Delivery -> Exploitation -> Installation -> Command and control (C2 or C&C -> Actions on objective

Eradication of malware or other intrusion mechanisms and recovery from the attack will involve several steps

Reconstitution of affected systems -> Reaudit security controls -> Ensure that affected parties are notified and provided with the means to remediate their own systems

This phase may involve restoration of data from backup and security testing. Systems must be monitored more closely for a period to detect and prevent any reoccurrence of the attack. The response process may have to iterate through multiple phases of identification, containment, eradication, and recovery to effect a complete resolution.

Recovery

This log uses the same configuration file syntax, but can work over TCP and use a secure connection. Rsyslog can use more types of filter expressions in its configuration file to customize message handling.

Rsyslog

audit events, such as a failed logon or access to a file being denied.

Security windows event log

This is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. Segmentation uses VLANs, routing/subnets, and firewall ACLs to prevent a host or group of hosts from communicating outside the protected segment

Segmentation-based containment

a network tap or port mirror that performs packet capture and intrusion detection.

Sensors

events generated during the installation of Windows.

Setup windows event log

This is a team-based exercise/training, where the red team attempts an intrusion, the blue team operates response and recovery controls, and a white team moderates and evaluates the exercise. This type of training requires considerable investment and planning.

Simulation

_________________________ can show when a data point should be treated as suspicious.

Statistical deviation analysis

This provides an open format, protocol, and server software for logging event messages It is used by a very wide range of host types.but It usually uses UDP port 514 Messages comprises a PRI code, a header containing a timestamp and hostname, and a message part. There have been two updates to the original ____________ specification Rsyslog and Syslog-ng

Syslog

This log uses a different configuration file syntax, but can also use TCP/secure communications and more advanced options for message filtering.

Syslog-n

events generated by the operating system and its services, such as storage volume health checks.

Systems windows event log

The process of detecting patterns or indicators within a data set over a time series and using those patterns to make predictions about future events. It can apply to frequency, volume, or statistical deviation:

Trend analysis

There are multiple channels by which incident events or precursors may be recorded:

Using log files, error messages, IDS alerts, firewall alerts, Comparing deviations to established metrics to recognize incidents and their scopes. Manual or physical inspections of site, premises, networks, and hosts. Notification by an employee, customer, or supplier and ublic reporting of new vulnerabilities or threats

Many_____ systems use the Session Initiation Protocol (SIP) to identify endpoints and setup calls. And are vulnerable to most of the same vulnerabilities and exploits as web communications

VoIP

This scan engine might log or alert when a scan report contains vulnerabilities. The report can be analyzed to identify vulnerabilities that have not been patched or configuration weaknesses that have not been remediated. These can be correlated to recently developed exploits.

Vulnerability Scan Output

In this training model, a facilitator presents the scenario but the incident responders demonstrate what actions they would take in response.

Walkthroughs

In this stage of the kill chain the attacker couples payload code that will enable access with exploit code that will use a vulnerability to execute on the target system.

Weaponization

Web servers are typically configured to log HTTP traffic that encounters an error or traffic that matches some predefined rule set. Most web servers use the common log format (CLF) or W3C extended log file format to record the relevant information.

Web/HTTP Access Logs

Forensics procedures are detailed and time-consuming, where the aims of ____________________________are usually urgent.

incident response

Status code in the 500 range of Web/HTTP Access Logs indicates

indicate server-based errors

in linux to view events in journald directly, you can use the ____________ command to print the entire journal log, or you can issue various options with the command to filter the log in a variety of ways,

journalctl

System memory contains volatile data. A system _______________ creates an image file that can be analyzed to identify the processes that are running, the contents of temporary file systems, registry data, network connections, cryptographic keys, and more. It can also be a means of accessing data that is encrypted when stored on a mass storage device.

memory dump

Secure communication between the trusted parties of the CIRT is essential for managing incidents successfully.t is imperative that adversaries not be alerted to detection and remediation measures about to be taken against them. The team requires an "_______________________________________" communication method that cannot be intercepted.

out-of-band or off-band

This is a data-driven standard operating procedure (SOP) to assist junior analysts in detecting and responding to specific cyberthreat scenarios, such as phishing attempts, SQL injection data exfiltration, connection to a blacklisted IP range, and so on.

playbook

This starts with a SIEM report and query designed to detect the incident and identify the key detection, containment, and eradication steps to take.

playbook

Repeated 403 ("Forbidden") responses may indicate that the server is

rejecting a client's attempts to access resources they are not authorized to.

A SIEM can enact a____________ policy so that historical log and network traffic data is kept for a defined period. This allows for retrospective incident and threat hunting, and can be a valuable source of forensic evidence.

retention

This is also important for retrospective incident handling, or threat hunting. This policy for historic logs and data captures sets the period over which these are retained. You might discover indicators of a breach months or years after the event. Without a ______________ policy to keep logs and other digital evidence, it will not be possible to make any further investigation.

retention policy

_________, developed by HP and subsequently adopted as a web standard (tools.ietf.org/html/rfc3176), uses sampling to measure traffic statistics at any layer of the OSI model for a wider range of protocol types than the IP-based Netflow. It can also capture the entire packet header for samples.

sFlow

Training on specific incident response scenarios can use three forms:

tabletop, walkthroughs, and simulations

A _______ is difficult to spot by examining each event in a log file. Instead, you need software to visualize the incidence of types of event and show how the number or frequency of those events changes over time.

trend

In this stage of the kill chain the weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack.

Command and control (C2 or C&C)

Effective incident response is governed by?

formal policies and procedures

events generated by applications and services, such as when a service cannot start.

Application windows event log

The five main categories of Windows event logs are:

Application, Security, System, setup and forwarded Events

This stage limits the scope and magnitude of the incident. The principal aim of incident response is to secure data while limiting the immediate impact on customers and business partners.

Containment

These logs record attempts for each host are likely to be written to the security log. You might also need to inspect logs from the servers authorizing logons, such as RADIUS and TACACS+ servers or Windows Active Directory (AD) servers.

Authentication Logs

This identifies how business processes should deal with both minor and disaster-level disruption. During an incident, a system may need to be isolated. This planning ensures that there is processing redundancy supporting the workflow, so that when a server is taken offline for security remediation, processing can failover to a separate system.

Business continuity plan (BCP)—

These servers may log an event each time it handles a request to convert between a domain name and an IP address.

DNS Event Logs

This mediates the copying of tagged data to restrict it to authorized media and services.

Data loss prevention (DLP)

In this stage of the kill chain the attacker identifies a vector by which to transmit the weaponized code to the target environment, such as via an email attachment or on a USB drive.

Delivery

A framework to analyze an intrusion event (E) by exploring the relationships between four core features: adversary, capability, infrastructure, and victim. Each event may also be described by meta-features, such as date/time, kill chain phase, result, and so on. Each feature is also assigned a confidence level (C)

Diamond Model of Intrusion Analysis

Once the incident is contained, this stage removes the cause and restore the affected system to a secure state by applying secure configuration settings and installing patches.

Eradication

events that are sent to the local log from other hosts.

Forwarded Events windows event log

__________________________ establishes a baseline for a metric, such as number of NXERROR DNS log events per hour of the day. If it exceeds (or in some cases undershoots) the threshold for the baseline, then an alert is raised.

Frequency-based trend analysis

In this stage the information in an alert or report, determines whether an incident has taken place, assess how severe it might be (triage), and notify stakeholders

Identification

______________________ is greatly facilitated by a security information and event management (SIEM) system. A SIEM parses network traffic and log data from multiple sensors, appliances, and hosts and normalizes the information to standard field types.

Incident analysis

Investigating the alerts produced by monitoring systems and issues reported by users.

Incident response

This lists the procedures, contacts, and resources available to responders for various incident categories and should be developed by computer security incident response team (CSIRT)

Incident response plan (IRP)

This is the properties of data as it is created by an application, stored on media, or transmitted over a network. For files this is stored as attributes, in resource plus headers setting or describing its properties for web servers, internet headers for emails and call detail records (CDRs) for mobiles

Metadata

This provides execution control over apps and features of smartphones.

Mobile Device Management (MDM)

This is an open-source log normalization tool. One principal use for it is to collect Windows logs, which use an XML-based format, and normalize them to a syslog format.

NXlog

A flow collector is a means of recording metadata and statistics about network traffic rather than recording each frame. This is a Cisco-developed means of reporting network flow information to a structured database.

Netflow/IPFIX

These logs are generated by appliances such as routers, firewalls, switches, and access points. Log files will record the operation and status of the appliance itself—the system log for the appliance—plus traffic and access logs recording network behavior

Network logs

This is the least costly type of training. The facilitator presents a scenario and the responders explain what action they would take to identify, contain, and eradicate the threat. The training does not use computer systems. The scenario data is presented as flashcards

Tabletop

One challenge in incident management is

allocate resources efficiently

DLP is enabled and configured in the correct way to enforce policy, the attacker may have been able to circumvent it using a ___________ method that the DLP software cannot scan.

backdoor

Status code in the 400 range of Web/HTTP Access Logs indicates

client-based errors

A 502 ("Bad Gateway") response could indicate that

communications between the target server and its upstream server are being blocked, or that the upstream server is down.

The SIEM can then run _____________ rules on indicators extracted from the data sources to detect events that should be investigated as potential incidents. This rule is a statement that matches certain conditions. These rules use logical expressions, such as AND and OR, and operators, such as == (matches), < (less than), > (greater than), and in (contains)

correlation

This means interpreting the relationship between individual data points to diagnose incidents of significance to the security team

correlation

A particular traffic flow can be defined by packets sharing the same characteristics, referred to as keys, such as IP source and destination addresses and protocol type. A selection of keys is called a ________, while traffic matching a flow label is called a flow record.

flow label