Incident Response Final Exam
Clearing
Disconnecting temporary services at an alternate facility
malware hoax
Essentially a DoS attack, a ____ is a message aimed at causing organizational users to waste time reacting to a nonexistent malware threat.
Data management team
Expected to quickly assess the recoverability of data from systems on site and then make recommendations to the management team as to whether off-site data recovery is needed
Disaster recovery
Focuses on business resumption at the primary place of business
Recovery phase
Focuses on critical business operations
Resumption phase
Focuses on functions that are not critical
Business continuity
Focuses on resuming critical functions at an alternate site
bitstream
Forensic investigators use ____ copying when making a forensic image of a device, which reads a sector (or block; 512 bytes on most devices) from the source drive and writes it to the target drive; this process continues until all sectors on the suspect
Computer forensics
Forensic techniques with a computer system as the source of evidence
Digital forensics
Forensic techniques with a digital electronic device as the source of evidence
Field evidence log
Identifies each item collected by forensic team by a filename number
Incident manager
Identifies sources of relevant information on a first response team
hoax
If a user receives a message whose tone and terminology seems intended to invoke a panic or sense of urgency, it may be a(n) ____.
blocking a specific IP address
In a "block" containment strategy, in which the attacker's path into the environment is disrupted, you should use the most precise strategy possible, starting with ____.
False
In disaster recovery planning, there is a prevention phase similar to that in IR planning.
False
In general, a law enforcement organization can become the target of a retaliatory lawsuit for damages arising from an investigation that proves to be groundless.
Selected Answer: Personal Privacy to me encompasses privacy for a persons property; this is stuff like mail, your "home", and your items but these protections are only for properly secured property so stuff that is easily found in an investigation are up for interpretation by the courts. Personally I think the only truly secure private property is the stuff handled in the U.S. mail, everything else can be searched if the Feds want to search it, because "probable cause" is really loosely defined. Correct Answer: Personal privacy is defined in the Fourth Amendment to the U.S. Constitution as follows: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. The Fourth Amendment states that citizens have a right against unreasonable searches of their person and property without authorization by an appropriate entity, and this expectation of privacy has been expanded by case law to include the workplace.
In your own words, summarize how personal privacy is defined in the Fourth Amendment of the U.S. Constitution.
Communications team
Interfaces with upper management, law enforcement, the press, etc.
Testing
Involves assessment, whether internal or external
Faraday Cage
It is critical to protect wireless devices from accessing (or being accessed though) the network after seizure and during analysis. Because removing power to the device would lose the volatile information, a better solution is to block wireless access using a(n) ____________________
IR reaction strategies
Known as ____, procedures for regaining control of systems and restoring operations to normalcy are the heart of the IR plan and the CSIRT's operations.
False
Mainframe systems leverage data communications to decentralize and/or distribute capacity.
Scribe
Maintains control of the field evidence log on a first response team
blended
Many malware attacks are ____ attacks, which involve more than one type of malware and/or more than one type of transmission method.
True
Many practitioners feel that a system, once compromised, can never be restored to a trusted state.
jump bag
Most digital forensic teams have a prepacked field kit, also known as a(n) ____.
False
One activity that occurs during the clearing phase of a BC implementation is scheduling a move back to the primary site.
True
Over 90 percent of organizations that experienced disruption at a data center lasting 10 days or longer were forced into bankruptcy within one year.
Privacy Protection Act
Protects journalists from having to turn over material before public dissemination
Federal Wiretapping Acts
Regulates interception of electronic and oral communications
Sequential roster
Requires that a contact person call each person on the roster
Logistics
Serves as the go-to team to physically acquire and transport needed resources to the appropriate location.
Theft or damage to assets whether to preserve evidence for potential criminal persecution service-level commitments and contract requirements to customers allocation of necessary resources to activate strategy graduated responses that may be necessary duration of containment efforts
The CSIRT's operational guidance should include containment strategies that are applicable as well as when they may be employed. List the minimum set of potential containment strategies.
www.ready.gov
The U.S. Department of Homeland Security's Federal Emergency Management Association has developed a support Web site at ____ that includes a suite of tools to guide the development of disaster recovery/business continuity plans.
CPMT
The ____ assembles a disaster recovery team.
DR plan desk check
The ____ involves providing copies of the DR plan to all teams and team members for review.
after-action review
The ____ is a detailed examination of the events that occurred, from first detection to final recovery.
Archivist
The individual responsible for the maintenance of the business continuity plan document
Scene sketch
The only forensic team field note that can be done in pencil
scope
The part of a disaster recovery policy that identifies the organizational units and groups of employees to which the policy applies is called the ____ section.
after-action review
The purpose of the ____ is to provide a way for management to obtain input and feedback from representatives of each team.
True
The purpose of the disaster recovery program is to provide for the direction and guidance of all disaster recovery operations.
plan maintenance schedule
The section of a DR policy that includes a schedule and instructions for the review and updating of the DR plan is called the
Some variables to be considered are the type of the incident, method of incursion, current level of success, current level of loss, expected or projected level of loss, target, target's level of classification and/or sensitivity, and legal or regulatory impacts mandating a specific response.
The selection of an appropriate reaction strategy is an exercise in risk assessment in which the CSIRT leader must determine what the appropriate response is based on a number of variables. What are some of the variables that must be considered?
Network recovery
This team works to establish short-term and long-term networks
True
Training focuses on the particular roles each individual is expected to execute during an actual disaster.
Common Body of Knowledge
Two dominantly recognized professional institutions certifying business continuity professionals agree on the ____ as the basis for certification.
hot site
Unless an organization has contracted for a ____ or equivalent, office equipment such as desktop computers are not provided at BC alternate site.
1. Develop the DR planning policy statement: A formal department or agency policy provides the authority and guidance necessary to develop an effective contingency plan. 2. Review the business impact analysis (BIA): The BIA was prepared to help identify and prioritize critical IT systems and components. A review of what was discovered is an important step in the process. 3. Identify preventive controls: Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life-cycle costs. 4. Create DR contingency strategies: Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption. 5. Develop the DR plan: The DR plan should contain detailed guidance and procedures for restoring the organization and its system after a disaster. 6. Ensure DR plan testing, training, and exercises: Testing validates recovery capabilities, training prepares recovery personnel for plan activation, and exercises identify planning gaps; together, these activities improve plan effectiveness and overall organizational preparedness. 7. Ensure DR plan maintenance: The DR plan should be a living document that is updated regularly to remain current with system enhancements and organizational changes.
What are the seven steps that are recommended for developing a comprehensive disaster recovery plan?
One important note for both DR and IR planning: when selecting an off-site storage location for data backups or stored equipment, extra care should be taken to minimize the risk at that storage location. In many instances, a large-scale disaster may destroy or damage both the primary location and the off-site storage location, if the latter is not carefully selected.
Why are large-scale disasters of particular concern when choosing off-site storage locations for data backups and equipment?
Business continuity management team: This is the command and control group responsible for all planning and coordination activities. The management team consists of organization representatives as described above, working together to facilitate the transfer to the alternate site. During relocation, this group coordinates all efforts and receives reports from and assigns work to the other teams. With the BC version of this group, the team handles the functions performed by the communications, business interface, and vendor contact teams under the DR model. Operations team: This group works to establish the core business functions needed to sustain critical business operations. The specific responsibilities of this team vary dramatically between organizations, because their operations differ.
Within a BC team, there may be many subteams. What are the responsibilities of the business continuity management team and the operations team?
notification
A DR plan addendum should include the trigger, the ____ method, and the response time associated with each disaster situation.
distributed denial-of-service
A ____ attack is much more substantial than a DoS attack because of the use of multiple systems to simultaneously attack a single target.
False
A business continuity plan should be a single unified plan.
BCI Professional Recognition Program
A certification offered by the Business Continuity Institute is called ____.
snapshot
A continuously changing process presents challenges in acquisition, as there is not a fixed state that can be collected, hashed, and so forth. This has given rise to the concept of ____ forensics which captures a point-in-time picture of a process.
field notes
A forensics team typically uses two methods to document a scene as it exists at the time of arrival: photography and ____.
expectation of privacy
A search is constitutional if it does not violate a person's reasonable or legitimate____.
Permissible in scope
A search that is constrained to a specific focus
True
Automated IR systems to facilitate IR documentation are available through a number of vendors.
True
BC is specifically designed to get the organization's most critical services up and running as quickly as possible in order to enable the continued operation of the organization and thereby ensure its existence and minimize the financial losses from the disruption.
Vendor contact team
Can work from preauthorized purchase orders to quickly order replacement equipment, applications, and services, as the individual teams work to restore recoverable systems
The Cuckoo's Egg
Clifford Stoll's book, ____, provides an excellent story about a real-world incident that turned into an international tale of espionage and intrigue.
Alert roster
Commonly tested at least quarterly
Logistics team
Consists of the individuals responsible for providing any needed supplies, space, materials, food, services, or facilities at the primary site
DR strategies go substantially beyond the recovery portion of data backup and recovery and must include the steps necessary to fully restore the organization to its operational status. This includes personnel, equipment, applications, data, communications, and support services (power, water, and so on). Only through close coordination with these services can the organization quickly reestablish operations back at its principle location, which is the primary objective of the DR plan.
Contrary to popular belief, DR strategies go substantially beyond the recovery portion of data backup and recovery. Discuss what further steps are necessary.
Disaster management team
Coordinates all disaster recovery efforts
Command and control
Core administrative functions needed by an organization to remain operational
information system
Deciding which technical contingency strategies are selected, developed, and implemented is most often based on the type of ____ being used.
Malware
Deliberate software attacks occur when an individual or group designs and deploys software, known as ___________________, to attack a system.
cookie
A ____ is a small quantity of data kept by a Web site as a means of recording that a system has visited that Web site.
Although some encryption is poorly done and is easily broken, high-quality products are increasingly available that use good encryption algorithms beyond our current capability to reverse encryption by trying all possible combinations. Encrypted information poses significant challenges to forensic investigators because, by its nature, encryption conceals the content of digital material. Many encryption products require input of an encryption key when the user logs on and then decrypts the user's information on the fly. When the system goes into screen saver mode or is powered down, the encryption key is deactivated and must be reentered. Unfortunately, data needed by the forensic investigator will be encrypted and will not be readable without the proper key.
An increasing concern for privacy and widespread availability of encryption products has led to the use of encryption for individual files and even entire devices. Briefly discuss the current state of encryption with respect to forensic investigation.
1) Preparation: The planning and rehearsal necessary to respond to a disaster 2) Response: The identification of a disaster, notification of appropriate individuals, and immediate reaction to the natural disaster 3) Recovery: The recovery of necessary business information and systems 4) Resumption: The restoration of critical business functions 5) Restoration: The reestablishment of operations at the primary site, as it was before the disaster
Briefly discuss the five phases of a disaster recovery plan.
BCI certification focuses on these key principles: Business continuity management policy and program management—Establishing the need for a business continuity management process, organizing and managing the formulation of the process and developing, coordinating, evaluating, and exercising plans during incidents Understanding the organization—Identifying critical functions, risk evaluation and control focusing on events and surroundings affecting the organization and controls to mitigate potential loss, and cost/benefit analysis Determining business continuity strategies—Selecting alternate recovery strategies and solutions based on RTO and RPO, developing, coordinating evaluating and exercising communications plans, and providing trauma counseling Developing and implementing a BCM response—Developing emergency response procedures, establishing an emergency operations center, experience in handling an emergency, and developing, designing, and implementing BC plans Exercising, maintaining, and reviewing BCM arrangements—Planning BC exercises, ensuring currency of BC plans, verifying plans against standards, and establishing procedures and policies for coordinating with external agencies Embedding BCM in the organization's culture—Developing training and awareness plans for BC
Describe three of the key principles that are a focus of the Business Continuity Institute certification.
Restoration phase
During this phase, an organization might have to select a new permanent home
Factors that could affect the maintenance process is change of location, size, or change in business focus.
Summarize the general activities and timing associated with DR plan maintenance and discuss organizational factors that can affect the maintenance process.
team leader
The BC ____________________ is most likely a general manager from the operations or production division, appointed by the chief operations officer, chief finance officer, or chief executive officer.
policy
The BC team begins with the development of the BC __________, which overviews the organization's philosophy on the conduct of BC operations and serves as the guiding document for the development of BC planning.
recovery point objective
The ____ is the point in the past to which the recovered applications and data at the alternate infrastructure will be restored.
roles and responsibilities
The ____ section of the business continuity policy identifies the roles and responsibilities of the key players in the business continuity
data management
The ____ team is primarily responsible for data restoration and recovery.
Systems recovery
This team works to install operating systems
Data management
This team works with other teams toward restoring and recovering data
trigger point
When implementing a BC plan, an organization reaches a predetermined state, known as a(n) ____, at which time the responsible executive indicates that the organization is to relocate to a pre-selected alternate site.
Computer recovery team
Works to recover physical computing assets that might be usable
Man-made
____ disasters include acts of terrorism and acts of war.
Inappropriate Use
____________________ is a category of incidents that covers a spectrum of violations made by authorized users of a system who nevertheless use the system in ways specifically prohibited by management.
incident
An ____ may escalate into a disaster when it grows in scope and intensity.
Scheduling of employee move: Note that not all business functions may return at the same time, just as not all will relocate to the BC site in the same order or time. The organization may have the most critical functions continue to work out of the BC site until all support personnel are relocated and support services are functional at the primary site. The organization may also want to wait for a natural break in the business week, like the weekend. In any case, the BC plan should contain information on who will begin directing the move back to the primary site, and generally in what order the business functions and associated personnel will move.
Briefly describe the information required for the "scheduling of employee move" operation that should be specified in a BC plan to support returning to the primary site.
Vendor relationships
Crucial during a disaster
1 Laptop with kali or something similar 2 Call list with subject-matter experts 3 Cellphones with extra batteries and chargers 4 Imaging software or hardware with write blockers 5 Hard drives, CDs, DVDs, USB flash drives for evidence 6 Cables for access to network, and memory storage devices 7 Evidence bags 8 Digital Camera for photographic evidence 9 Incident forms 10 Spare screws, anti-static mats, mechanics' mirrors, telescoping lights and grabbers, general hardware equipment
Describe ten things that you might find in a forensic field kit.
Structured walk-through: All involved individuals walk through the steps they would take during an actual disaster, either on site or as a conference room discussion. Simulation: Each involved individual or team works independently, rather than in conference, simulating the performance of each task, stopping short of the actual physical tasks required, such as restoring the backup or rebuilding a particular server or communications device.
Describe the structured walk-through and simulation strategies that can be used for plan testing and rehearsal by disaster recovery teams.
Altering the filtering rules, either temporarily or permanently, may resolve the issue. Be aware of the possibility of service availability to legitimate customers. Also, the attacker may not only shift spoofed addresses, he may also shift source protocols. Also be aware that the more rules present in a device, the slower it will run. Thus, changing the organization's filtering strategy should only be done on a temporary, emergency basis if it causes issues. For long-term solutions, the organization may want to consider upgrades to critical network technologies to make such responses insignificant.
During a DoS incident, one possible containment strategy is to block the address the attacks are coming from. In addition, the organization may want to change its filtering strategy. What are the advantages and disadvantages of this approach?
Hierarchical roster
Requires that the first person cal other designated people on the roster
Needs training in recovering data from off site, along with the data management team
Storage recovery team
response phase
The ____ is the phase associated with implementing the initial reaction to a disaster; it is focused on controlling or stabilizing the situation, if that is possible.
damage assessment
The ____ team is responsible for providing the initial assessments of the extent of damage to equipment and systems on-site and/or for physically recovering the equipment to be transported to a location where the other teams can evaluate it.
applications recovery
The ____ team is responsible for recovering and reestablishing operations of critical business applications.
network recovery
The ____ team is responsible for reestablishing connectivity between systems and to the Internet.
response
The ____________________ phase of a disaster recovery plan involves activating the plan and following the steps outlined therein.
True
The alert roster must be tested more frequently than other components of a disaster recovery plan because it is subject to continual change due to employee turnover.
Forensic Toolkit (FTK)
The forensic tool ____ does extensive pre-processing of evidence items that recovers deleted files and extracts e-mail messages.
Timeliness is a factor in prioritizing the response. Use software to support incident management priotitize each incident component as it arises Contain each incident, then scan for others.
What are some of the recommendations for handling hybrid incidents?
The key points the CP team must build into the DR plan include: the clear delegation of roles and responsibilities; the execution of the alert roster and notification of key personnel; the use of employee check-in systems; the clear establishment and communication of business resumption priorities; the complete and timely documentation of the disaster; and preparations for alternative implementations.
What are some of the key points that the CP team must build into the DR plan?
Repair damage or select or build replacement facility Replace primary site damaged or destroyed contents Coordinate relocation from temporary offices to primary sire or to new replacement facility Restore normal operations at the primary site Stand down the DR teams and conduct the after-action review
What are the primary goals associated with the restoration phase of a disaster recovery plan?
This means that a search is rooted in a legitamete business reason, such that it was done specifically to locate a legitimate work product or as part of an investiagtion into work-related misconduct involving organization resources.
What does it mean for a search to be "justified at its inception?"
Correct The recovery time objective (RTO) is the amount of time that the business can tolerate until the alternate capabilities are available. Reducing RTO requires mechanisms to shorten start-up time or provisions to make data available online at a fail-over site. The recovery point objective (RPO) is the point in the past to which the recovered applications and data at the alternate infrastructure will be restored.
What is the difference between the recovery time objective and the recovery point objective?
After evidence is bagged in an Evidence Bag or storage unit there should be a place on the bag where the person who collects it signs that they've collected it and when this happened, from there everyone who handles it has to sign that they've obtained it from the last in command and the last in command signs that it was given to the next in command.
What is the usual process for creating a chain of custody for collected evidence from the time it is sealed?
True
Within the private sector, the Supreme Court stated, "Every warrantless workplace search must be evaluated carefully on its facts. In general, however, law enforcement officers can conduct a warrantless search of private (i.e., nongovernment) workplaces only if the officers obtain the consent of either the employer or another employee with common authority over the area searched."
Network recovery team
Works to reestablish functions by repairing or replacing damaged or destroyed components.
Business interface team
Works with the remainder of the organization to assist in the recovery of nontechnology functions
Business interface team
Works with the remainder of the organization to assist in the recovery of nontechnology functions.
Inappropriate use
____ incidents are predominantly characterized as a violation of policy rather than an effort to abuse existing systems.
Anti-forensics
____ involves an attempt made by those who may become subject to digital forensic techniques to obfuscate or hide items of evidentiary value.
Rapid onset disasters
____ may be caused by earthquakes, floods, storm winds, tornadoes, or mud flows.
Preparation
____ means making an organization ready for possible contingencies that can escalate to become disasters.
External
___________________ testing can come from standardization boards or consultants (for example, ISO 9000), certification or accreditation groups, or a group selected by the organization's management from a sister company.
Internal
____________________ testing can include employees conducting self-assessments after an exercise by completing feedback surveys indicating what they thought worked well and what did not.
Disaster recovery planning
______________________________ is the preparation for and recovery from a disaster, whether natural or man-made.
contamination
____—that is, alleging that the relevant evidence came from somewhere else or was somehow tainted in the collection process.
