course 7: Incident detection and response

step 4: event data analysis

-the broad phases of the cyber kill chain and MITRE frameworks guide the analyst to think like the attacker and start to understand the overall attack as a set of related events -The linking of CVE data to specific tactics provided in each phase of the ATT&CK model further suggests places in the IT and OT architecture to look for other signs of intrusions.

correlation does this by grouping data from these streams in several ways:

-time correlations -space correlations -entity correlation -reference time -Skew

Incident Documentation

-who, what, why, where and when -A centralized incident management system enables multiple incident responders to work on the same incident and receive updated information. -Documentation may also include audio logs, video logs and written narratives describing the impact of the incident on the system and the organization.

Incident response planning and procedures should include clearly defined internal communication channels that address which of the following

-Escalation -End user advisories -Lessons learned and continued engagement updates

incident response teams perform best when the following conditions are met:

-Give team members opportunities to perform other tasks, such as creating educational materials, conducting security awareness workshops and performing research. -Budget enough funding to maintain, enhance and expand proficiency in technical areas and security disciplines, as well as less technical topics such as the legal aspects of incident response. -Create a mentoring program to enable senior technical staff to help less experienced staff learn incident handling.

The investigator's final report is declaring three main points

-Here is my hypothesis, my explanation of what happened, how, when, where and who played what roles in making the incident happen. -Here is the evidence that supports that hypothesis and the logic by which I have tested that evidence to show that it supports the hypothesis. -Here is the evidence that attempts to disprove the hypothesis, and with it is the logic by which I show that this negative evidence fails to disprove the hypothesis.

General rules of forensic investigation

-Minimize handling/corruption of original data -Account for any changes and keep detailed logs of your actions -comply with the five rules of evidence -Do not exceed your knowledge -follow your local security policy and obtain written permission -Capture as accurate an image of the system as possible -be prepared to testify -ensure your actions are repeatable -work fast -proceed from volatile to persistent evidence -do not run any programs on the affected system

if unauthorized activity is detected, IDS/IPS take one or both of the following actions

-Passive response -Active response note: do not counterattack

The first priority of any incidents to:

-Protect life -Health -Safety

IP packet attributes

IP flow is based on a set of five to seven IP packet attributes: IP source address IP destination address Source port Destination port Layer 3 protocol type class of service Router or switch interface.

Which of these would be the most urgent signal or event for security personnel to respond to?

Indicators of compromise

Which of the following is true regarding computer intrusions?

Network intrusion detection systems (NIDSs) help mitigate computer intrusions by notifying personnel in real time.

The international standards Organization codifies incident response processes in the ISO/IEC 27035, Information security incident Management standard.

Plan and preparation Detection and Reporting Assessment and Decision Response Lessons Learned

What is the difference between a real and a virtual IRT?

Real IRTs are staffed by permanent employees or members of the organization, have designated work centers or locations and are trained and certified in incident response; virtual IRTs use volunteer or part-time talent, and their members may or may not be fully trained or certified.

Legal and Privacy Concerns

Security professionals must be careful not to exceed their levels of authority or responsibility. Most security professionals do not have the credentials of law enforcement, and their actual level of authority is very limited. They cannot trample the rights of another person or violate the laws of the country. This includes the challenge of network or system monitoring. In many cases a security professional only has the right to monitor activity when directly authorized by management and in support of an approved investigation.

Steps to Incident Detection

Step 1: Events of interest Step 2: Align security baselines and anomalies Step 3: Aggregate and correlate event data Step 4: Event data analysis Step 5: Visualizations, metrics and trends Step 6: Document, communicate and escalate.

reviewing incident logs

Any time an incident occurs, save the log files of all devices that have been affected or are along the network path the intruder took. These files need to be saved differently than your standard log retention policy. Since it is possible that these log files might be used in a legal case against the intruder, follow sound forensic chain of custody principles when obtaining and preserving the logs.

Question 4 Before a complete DLP solution can be introduced, you would need to consider all of the following except which one?

Data by time

Access control systems

The strongest and most recognizable intrusion protection systems used by organizations large and small.

networks and infrastructure

This category includes term everything the organization has or relies upon in the way of IT and OT systems: -event reporting from the full range of event reporting term -Log files capture from all systems elements capable of producing logs of any kind -ongoing process measurements and indicators

Log Retention

Tools that will move old log files to separate folders for backup and purge old data from log files

speed of recovery is more important to your organization than a forensic discovery of the facts

True

Which of the following would not be acceptable in evidence collection?​

Use any forensic tool you are familiar with​

With respect to network devices, servers, endpoints and other hosts, which of the following would be essential to support incident detection and characterization?

Using the same network time service (NTS)

step 2: align security baselines and anomalies

a compromise of data such as a breach might be indicated by event data including: -Access control system events -Privilege escalation events -Attempts to decrypt the data -Attempts to move or copy the data -Termination of access sessions

step 3: aggregate and correlate event data

a process that looks across many disparate streams of signals from the organization's IT and OT to identify patterns, sequences or clusters of events that may be suspicious.

which mode of operation is best when first implementing DLP solution.

active

Remediation

activities would include any changes to the system's configuration to immediately limit or reduce the chance of reoccurrence of this type of incident.

four main types of investigations

administrative (internal) Regulatory Civil Criminal

incident triage

also known as the event triage that is the process of reducing the number of event-level signals to identify those that require human intervention and decision-making.

Reporting

an ongoing task from the moment the incident is first declared until its damages and disruption have been dealt with.

Clipping levels

are a predefined criterion, or threshold, that sets off an event entry. For example, a security operations center does not want to be notified of every failed login attempt, because everyone mistypes their password occasionally. Thus, set the clipping level to only create a log entry after two failed password attempts.

Disaster recovery plan

are a subset of business continuity planning and operations.

regulatory investigations

arise when an incident falls within the purview of a government regulatory agency and may lead to civil litigation or criminal law court cases.

Security orchestration, automation, and response (SOAR)

brings together all the data from monitoring and control functions and integrates it into workflows that can automate processes.

Threat modeling

can be used to create patterns or typologies that describe the behavior of various kinds of threat actors and the actions they take in carrying out an attack. Many such patterns or typologies are available through MITRE and others. These are often used in systems such as endpoint detection and response (EDR) and extended detection and response (XDR).

Data Loss Prevention (DLP)

describes the controls put in place by an organization to ensure that certain types of data remain under organizational controls, in line with policies, standards and procedures.

All-Source Intelligence

describes the inputs and the processes used to derive actionable assertions, recommendations and conclusions to inform decision making.

incident management and the security operation center (SOC) concept

enables the organization's senior leadership and management to make informed decisions about emergency or urgent actions required for protecting the organization from loss or impact.

Software Analysis

encompasses such investigative activities as malware analysis, intellectual property disputes and copyright infringements. The objectives of the analysis include author identification, content analysis (payload) and context analysis.

what might a limitation be when considering?

encrypted files and/or traffic can't be examined without first decrypting it.

change to evidence handling and

evidence gathering may exist in many different formats such as a disk image, log files, memory content or physical evidence. a cryptographic has should be calculated and recorded to detect data alterations that occur after imaging.

Log consolidation

gives "one-stop shopping" for log file analysis. Log file consolidation is usually done on a separate server from the one that actually generates the log files.

Notification

immediate notification should be provided if an incident affects a significant number of hosts or a critical system, exposes critical data or could result in revenue loss.

Step 5: visualization, metrics and trends

interactive dashboard systems provide analyst with a variety of tools and techniques to organize, group, emphasize and act upon the security data their systems are generating Visualization can be simple dashboards that group trend lines, status indicator current and recent values and event timelines.

Author Identification

involves attempts to determine who created or authored the software/program in question (was it an individual or group effort). The code is examined for clues to programming style, program language, development toolkits used, embedded comments and addresses and so on.

Media analysis

involves the recovery of information or evidence from information media such as hard drives, USB drives, DVDs, CD-ROMs or portable memory devices. This media may have been damaged, overwritten, degaussed or reused to aid in hiding evidence or useful information. Numerous tools and techniques exist that can recover information from the media with differing success. Should a forensic image be required, the information security professional may need to enlist the help of a media recovery specialist. These specialists often work in clean rooms and can rebuild a drive if needed and maintain a chain of custody while doing it, if needed. However, they are very expensive, so unless a forensically sound image is required, several other tools and techniques should be considered.

Content Analysis

involves the systematic analysis of the purpose of the code. In the case of Trojan horse programs, for example, the focus would be on determining what the actual attack was meant to do, what and where files were installed or altered on the infected systems, what communications channels were opened (ingress and egress), the identification of any upstream destination addresses, what information was being sent or stored locally for batch uploads, etc.

log anomaly

is anything out of the ordinary. Identifying log anomalies is often the first step in identifying security-related issues both during an audit and during routine monitoring. Some anomalies will be glaringly obvious, for example, gaps in date/time stamps or account lockouts. Others will be harder to detect, such as someone trying to write data to a protected directory. Although it may seem that logging everything so you would not miss any important data is the best approach, most would soon drown under the amount of data collected.

eradication

is the process of identifying and then removing every instance of the causal agent and its associated files, executable and so forth from all elements of your system.

chain of custody

is the sequence of records kept about each piece of evidence, showing every step in its history.

during incident, Communication planning

it is critical that communications plan clearly identifies specific individuals with authority to speak for the organization when it comes to information security breaches, incidents or disruptions.

Which statement best describes an adverse event?

may be unplanned and accidental disruptions to IT and OT operations or they may be part of an attack.

incident response

process aimed at reducing the impact of an incident so organization can resume the interrupted operations as soon as possible.

Real-time monitoring

provides a means for immediately identifying overt and covert events

Context Analysis

refers to developing a meta view of the impact of the suspicious software relative to the case or the environment in which it was found. Understanding context can assist with the analysis and can be used to develop a realistic rating of the risks to the organization or victim.

recovery

the process by which the organization's IT infrastructure applications, data and workflows are reestablished and declared operational.

escalation

the process of gaining the right level of management or leadership awareness of an incident, their approval or how it is being dealt with thus far, and their direction to take more significant steps in the incident response plan.

SIEM solutions

these devices typically function as correlation tools and focus on known attack patterns, which can introduce a lot of overheads, both in their maintenance as they have to be kept up to date and in their use, as they can create a lot of false positives which need to be analyzed.

step 6: document, communicate and escalate

two requirements when communicating findings: -engage the incident response process -Support subsequent investigation and analysis for forensic, compliance or troubleshooting

Network Analysis

was coined in 1997 by Marcus Ranum and refers to the analysis and examination of data from network logs and network activity for use as potential evidence. (The original definition used the term investigation, but later authors amended this to evidence to emphasize the forensic aspect.) Like software forensics/analysis, network analysis or network forensics is now encompassed under the larger category of digital evidence. The analysis of network activity is an innate function of any IR situation, and the process model is identical to what has been previously discussed in the incident response section of this chapter. The critical features are proper evidence management and handling (i.e., chain of custody) with the concern that any derived evidence will be admissible in a legal proceeding.

Hardware/Embedded Device Analysis

The analysis of hardware and embedded devices often involves the analysis of mobile devices such as smartphones or personal digital assistants (PDAs.) The standard hardware and firmware found in a laptop or a desktop computer's motherboard, such as the complementary metal oxide semiconductor (CMOS) chip used to control basic functions, will also need to be forensically imaged and then examined. Special tools and techniques are required to image embedded devices. Many embedded devices cannot be read or copied without altering the very information you wish to obtain.

Implementing the lessons learned

The lessons learned phase should lead to actions where: -necessary changes are implemented -Monitoring is improved -Staff members are trained -Tools are purchased

Taking control of the incident scene

-requires that a responsible person assert their authority to control access to that scene, recording or images made of the scene and any contact or interaction with possible evidence in the scene

These three layers also reflects the planning horizons and span of decision-making that organizational leaders and senior managers focus on:

-strategic -Tactical -operational

NIST/ISO Recommendations

-no actions should change data contained on digital devices or storage media. -Individuals accessing original data must be competent to do so and be able to explain actions. -An audit trail or other accurate documentation of each investigative step, suitable for independent third-party review, must be created and preserved. -The person in charge of the investigation has overall responsibility for ensuring that the procedures are followed and in compliance with governing laws. -upon seizing digital evidence, actions taken should not change that evidence.

NIST special Publication 800-61, computer security incident handling guide, structures incident response activities in a four-phase lifecycle:

-preparation -Detection and Analysis -Containment, Eradication and Recovery -Post-incident Activity

Implementation steps

-requirements analysis -Preliminary design or operations concept layout -preliminary build vs. buy assessment - preliminary cost estimates -schedule and need data determination -approval and direction to proceed

Longer Term Countermeasures

-Rehosting of servers or endpoints to major new releases of operating systems -Migration to major new versions of critical applications platforms Instituting greater use of UEBA, ABAC or other more powerful access control strategies -Implementing some portion of a zero trust architecture -Fundamentally redesigning workflows to strengthen dual control or separation of duties -Implementing additional internal controls over financial systems -Extending the visibility, reach and control of the security operations systems to better include operational technology systems, networks and devices -Replacement of hard to secure, possibly outdated devices with more modern units that provide better security, maintainability and functionality -Implementing PKI systems where necessary Instituting more effective cryptologic asset management systems and procedures

NST has several excellent documents that describe the components of continuity programs:

-SP 800-34 Rev.1, contingency Planning guide for federal information systems -SP 800-61 Rev.2, computer security incident handling guide -NIST SP 800-184, Guide for cybersecurity event recovery

understanding network behavior

-Source address allows the understanding of who is originating the traffic. -Destination address tells who is receiving the traffic -Ports characterize the application utilizing the traffic -class of service examines the priority of the traffic. The device interface tells how traffic is being utilized by the network device -Tallied packets and bytes shows the amount of traffic.

Which tasks can SOAR systems do that SIEMs cannot? Select all that apply.

-Support user creation of workflows to direct and control the execution of routine and emergency tasks, such as data analysis or incident response -Remotely manage configuration settings for security appliances, devices, servers, endpoints and agents

containment strategy should be driven by several criteria including the following:

-need to preserve forensic evidence for possible legal actions -Availability of services the affected component provides -Potential damage leaving the affected component in place may cause -Time required for the containment strategy to be effective -resources required to contain the affected component

Incident response team (IRT)

-The team can be virtual or permanent depending on the requirements of the organization. -Virtual models can also be done by identifying people who will immediately switch from their normal tasks to IRT tasks -Some organizations have teams whose members are permanently assigned to the incident team and work in this capacity on a full-time basis. -A third model can be described as a hybrid of the virtual and permanent.

incident response plan

-all employees should follow a plan or procedure depending on their role in the incident response process. -Procedures to implement the plan should define the technical processes, techniques, checklist and other tools, which teams will use in the incident response process.

administrative or internal investigations

-are often the starting point of a significant set of activities, such as civil or criminal investigations -conducted when the entirety of the process will be contained within the organization; it exists solely as an internal function -Administrative investigations are usually carried out when an incident is the result of an authorized user acting maliciously or inadvertently, causing damage or bringing risk to the organization.

checklists

-can provide a powerful but simple set of reminders, either of criteria to assess an event with current conditions to check.

civil investigation

-civil law applies when a victimized entity sues the offensive party. -An investigation with intended purpose of a lawsuit should involve the same degree of documentation and adherence to detail as a criminal investigation.

mitigating an attack involves two logically separate tasks:

-containment -Eradication

full packet capture

-devices capture every single information packet that flows across the border, which can be analyzed later should incident occurs. -can consume tremendous amount of storage -Has the ability to do a "packet dump" or extract a certain cross-section of the traffic as defined by criteria such as IP protocol or time of day.

logs and other incident response records

-direct responders immediately start keeping a log of conditions encountered, what they observe and what actions they take. -Logs should also document any communications with others, include information conveyed or what directions were given.

IP flow: data collection and analysis

-each packet that is forwarded within a router or switch is examined for a set of IP packets attributes. -the attributes constitute the IP packet identity or fingerprint and determine whether the packet is unique or similar to other packets

organization gather human intelligence through:

-help desks, trouble tickets, and service requests and suggestions for help desks, trouble tickets, and service requests and suggestions for improvement -Business process engineering and performance assessment

step 1: events of interest

-identify events of interest so that security analyst can focus on events that may be part of an attack or intrusion. -Without an IoC, determine whether a signal is merely a signal of an event or something security needs to get involved with. -an event associated with an IT or OT system that may or may not be a security concern.

these guidelines formalize the computer forensic processes by breaking them into numerous phases or steps:

-identifying evidence -collecting or acquiring evidence -Examining or analyzing the evidence -Presentation of findings

Defining an incident

-issue identification may result from a preventative control but generally results from a detective control -Reports from end users also provide an important method for identifying security incidents

Which of the following would not normally be a part of an all-source threat intelligence assessment?

Digital discovery orders

You have completed the search and discovered that there has indeed been a major data breach. What might be your next step?

Review the log data

After examining the network activity log files, nothing springs out as an indicator of an external attack. However, looking at the UEBA logs you notice that one of your employees, Sasha Coen, is being flagged. She is accessing the customer accounts files at odd times, usually outside of her normal working hours. What would need to be examined?

Sasha's work computer