4.0 Operations and Incident Response

Cyber Kill Chain

a series of steps that trace stages of a cyberattack from the early reconnaissance stages to the exfiltration of data. The kill chain helps us understand and combat ransomware, security breaches, APTs. -Reconnaissance -Exploitation -Privilege Escalation -Lateral Movement -Obfuscation / Anti-forensics -Denial of Service -Exfiltration

Integrity

- Hashing - Checksums - Provenance

Firewall rules

-Program: Block or allow a program -Port: Block or allow a port, port range, or protocol -Predefined: Used a predefined _______ included with Windows -Custom: Specify a combination of program, port, and IP address to block or allow.

Echo

A quality check and error-control technique for data transferred over a computer network or other communications link, in which the data received is stored and also transmitted back to its point of origin, where it is compared with the original data.

Dig

A Linux command-line alternative to Nslookup. Uses the OS resolver libraries.

PathPing

A TCP / IP command that provides information about latency and packet loss on a network. Combines the functionality of ping with that of tracert. It is used to locate spots that have network latency and network loss.

Session Initiation Protocol (SIP) traffic

A VoIP signaling protocol used to set up, maintain, and tear down VoIP phone calls or real-time voice and video communications.

Internet Protocol Configuration (ipconfig)

A Windows command line utility that is used to manage the IP address assigned to the machine it is running in. Used without any additional parameters, it displays the computer's currently assigned IP, subnet mask and default gateway addresses.

logger

A command line in Linux that makes log entries in the system.

Netcat (NC)

A command-line alternative to Nmap with additional features scanning for vulnerabilities.

Tcpdump

A command-line protocol analyzer. Administrators use it to capture packets. Used exclusively in Linux.

Network Statistics (Netstat)

A command-line utility that can display detailed information about how a device is communicating with other network devices.

Nslookup

A command-line utility that can query the DNS to obtain a specific domain name or IP address mapping. Uses own internal libraries.

Tracert

A command-line utility that shows the path that a packet takes. Executed in the command prompt console on Windows OS.

Ping

A command-line utility to test the connection between two network devices. Used to test reachability of a host on an IP network.

Windows Hexadecimal editor (WinHex)

A commercial disk editor and universal ________ (hex editor) used for data recovery and digital forensics.

Runbook

A compilation of routine procedures and operations that the system administrator or operator carries out. System administrators in IT departments and NOCs use _____ as a reference. Helps an analyst thoroughly respond to the complexity of security threat events

MITRE ATT&CK

A comprehensive matrix of tactics and techniques used by threat hunters, red teamers, and defenders to better classify attacks and assess an organization's risk. The aim of the framework is to improve post-compromise detection of adversaries in enterprises by illustrating the actions an attacker may have taken.

Client URL (cURL)

A computer software project providing a library and command-line tool for transferring data using various network protocols.

FTK Imager

A data preview and imaging tool used to acquire data (evidence) in a forensically sound manner by creating copies of data without making changes to the original evidence.

Internet Protocol Flow Information Export (IPFIX)

A flow to be any number of packets observed in a specific timeslot and sharing a number of properties, e.g. "same source, same destination, same protocol".

syslog-ng

A free and open-source implementation of the syslog protocol for Unix and Unix-like systems. It extends the original syslogd model with content-based filtering, rich filtering capabilities, flexible configuration options and adds important features to syslog, like using TCP for transport. A centralized syslog collector

Incident Response Team

A group of experts that assesses, documents and responds to a cyber incident so that a network can not only recover quickly, but also avoid future incidents.

Network

A group of two or more devices or nodes that can communicate. The devices or nodes in question can be connected by physical or wireless connections. The key is that there are at least two separate components, and they are connected.

Retention Policies

A key part of the lifecycle of a record. It describes how long a business needs to keep a piece of information (record), where it's stored and how to dispose of the record when its time. It seems very straightforward, and in many ways it is.

nxlog

A multi-platform log management tool that helps to easily identify security risks, policy breaches or analyze operational problems in server logs, operation system logs and application logs.

Legal hold

A notification sent from the legal team to employees instructing them not to delete electronically stored information or paper documents that may be relevant to an incident.

Artifacts

A piece of data that may or may not be relevant to the investigation / response. Examples include registry keys, files, time stamps, and event logs. A piece of data, that is relevant to your investigation because it supports or refutes a hypothesis.

Continuity of Operations Plan (COOP)

A predetermined set of instructions or procedures that describe how an organization's mission essential functions will be sustained within 12 hours and for up to 30 days as a result of a disaster event before returning to normal operations.

Memory Dump (Memdump)

A process in which the contents of memory are displayed and stored in case of an application or system crash. Helps software developers and system administrators to diagnose, identify and resolve the problem that led to application or system failure.

Chain of custody

A process of documentation that shows that the evidence was always under strict control and no unauthorized individuals were given the opportunity to corrupt the evidence.

Page File

A reserved portion of a hard disk that is used as an extension of RAM for data in RAM that hasn't been used recently. Can be read from the hard disk as one contiguous chunk of data and thus faster than re-reading data from many different original locations.

Cuckoo

A sandbox with the leading open source automated malware analysis system. You can throw any suspicious file at it and in a matter of minutes, will provide a detailed report outlining the behavior of the file when executed inside a realistic but isolated environment.

Network Mapper (Nmap)

A security vulnerability scanner that can determine which devices are connected to the network and the services they are running.

Incident Response Plan (IRP)

A set of written instructions for reacting to a security incident. Actions an organization can and perhaps should take while the incident is in progress

Checksums

A small-sized datum derived from a block of digital data for the purpose of detecting errors that may have been introduced during its transmission or storage. Simple method used in symmetric key cryptography to ensured data integrity.

Call manager

A software component that establishes, maintains and terminates a connection between two computers.

OpenSSL

A software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites. Widely used open-source implementation of the SSL/TLS protocol that was affected by the Heartbleed bug.

syslog

A standard for message logging. It allows separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Uses UDP port 514.

Interface Configuration (ifconfig)

A system administration utility in Unix-like operating systems for network interface configuration. The utility is a command-line interface tool and is also used in the system startup scripts of many operating systems. Has an opposite for Windows OS.

Walkthrough Exercise

A tutorial of a situation. Discussed step-by-step. Intermediate for hands on.

Traceroute

A utility application that monitors the network path of packet data sent to a remote computer. Executed in the command prompt console on Linux OS.

Disaster Recovery Plan (DRP)

A written document that details the process for restoring IT resources following an event that causes a significant disruption in service like a flood or power outage.

Admissibility

Acceptable or valid, especially as evidence in a court of law.

Incident Response Process

Action steps to be taken when an incident occurs: -Preparation -Identification -Containment -Eradication -Recovery -Lessons learned

Containment

An action step in the incident response process that involves limiting the damage of the incident and isolating those systems that are impacted to prevent further damage.

Cache

An area or type of computer memory in which information that is often in use can be stored temporarily and got to especially quickly.

Hping

An enhanced Ping utility for crafting TCP and UDP packets to be used in port-scanning activities. One of the de-facto tools for security auditing and testing of firewalls and networks, and was used to exploit the Idle Scan scanning technique now implemented in the Nmap port scanner.

Counterintelligence (CI)

An in-depth application of strategic intelligence that involves gaining information about the attacker's intelligence collection capabilities.

Sampled Flow (Sflow)

An industry standard for packet export at Layer 2 of the OSI model. It provides a means for exporting truncated (shortened) packets, together with interface counters for the purpose of network monitoring.

rsylog

An open-source software utility used on UNIX and Unix-like computer systems for forwarding log messages in an IP network. It implements the basic syslog protocol, extends it with content-based filtering, rich filtering capabilities, queued operations to handle offline outputs , support for different module outputs , flexible configuration options and adds features such as using TCP for transport.

Random Access Memory (RAM)

Computer location where instructions and data are stored on a temporary basis. This memory is volatile.

cat

Command line in Linux and Windows used to concatenate files and print on the standard output.

grep

Command line in Linux to find things inside files or useful data.

chmod

Command line in Linux tp change permission modifiers or change the access permissions of file system objects (files and directories), or change special mode flags.

Right-to-audit

Contractor shall establish and maintain a reasonable accounting system that enables company to readily identify contractor's assets, expenses, costs of goods, and use of funds.

Metadata

Data that describes other data

Swap File

Deals with modern Windows apps (the kind you download from the Windows Store), moving them to the hard drive in a sort of hibernation state when not in use, while the page file takes individual pages (4KB in size) of a process and moves them back and forth as needed.

journalctl

Displays the entire journal, with the oldest entries at the top of the list. The list is displayed in less, allowing you to page and search using the usual navigation features of less.

Head

Displays the first 10 number of lines in the file.

Tail

Displays the last 10 number of lines in the file.

The Diamond Model of Intrusion Analysis

Emphasizes the relationships and characteristics of four basic components: the adversary, capabilities, infrastructure, and victims. For every intrusion event, there exists an adversary taking a step toward an intended goal by using a capability over infrastructure against a victim to produce a result. This means that an intrusion event is defined as how the attacker demonstrates and uses certain capabilities and techniques over infrastructure against a target.

Preservation

Ensuring that important proof is not destroyed.

Tabletop Exercise

Exercises that simulate an emergency situation but in an informal and stress-free environment. For example, individuals sitting around a table with a facilitator discussing situations that could arise and how best to respond to them.

Wireshark

Free and open-source packet analyzer. Application that captures and analyzes network packets. Also known as a packet sniffer.

Log files

Generated by Web server software, record a user's actions on a Web site or Web server. - Network - System - Application - Security - Web - DNS - Authentication

Protocol Analyzer

Hardware or software that captures packets to decode and analyze their contents.

Python

High-level and general-purpose programming language.

Tcpreplay

IDS, Firewalls, and Honeypots. Tool to replay saved tcpdump or snoop files at arbitrary speeds. SideStep IDS, Firewalls, and Honeypots. An IDS evasion tool.

Regulatory/Jurisdiction

Information security frameworks/architectures that are required by.

URL filter

Involves blocking websites based solely on the URL, restricting access to specified websites and certain web-based applications. Limits access by comparing web traffic against a database to prevent employees from accessing harmful sites such as phishing pages.

Content filter

Involves using a program to prevent access to certain items, which may be harmful if opened or accessed. The most common items to filter are executables, emails or websites.

Security Breach Notification Laws

Laws that require individuals or entities affected by a data breach to notify their customers and other parties about the breach, as well as take specific steps to remedy the situation based on state legislature. Data breach notification laws have two main goals. The first goal is to allow individuals a chance to mitigate risks against data breaches. The second goal is to promote company incentive to strengthen data security.

dnsenum

Multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous IP blocks. Gets information like the host's address.

PowerShell

Object-oriented automation engine and scripting language with an interactive command-line shell that Microsoft developed to help IT professionals configure systems and automate administrative tasks.

theHarvester

Objective of this program is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database. Tool intended for penetration testers in the earl stages of a penetration test to understand the customer footprint on the internet.

Nessus

One of the most common vulnerability scanners in the cybersecurity industry today. The most comprehensive vulnerability scanner on the market today. Will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Order of Volatility (OOV)

Order in which you should collect evidence or the sequence in which volatile data must be preserved in a computer forensic investigation.

scanless

Pentesting tool that is a Python 3 command-line utility and library for using websites that can perform port scans on your behalf.

Quarantine

Process of isolating a file suspected of being infected with a virus to a specific area of a storage device in order to prevent it from contaminating other files. Used when anti-virus software detects a problem and is unable to eliminate it with its current protocols, or when it is unsure whether or not the file is a known virus.

IP Scanner

Reliable network scanner to analyze LAN. The program shows all network devices, gives you access to shared folders, provides remote control of computers, and can even remotely switch computers off. Nmap IP Scanner, ARP Scan, Angry IP Scanner, and etc.

Disk

Several types of media consisting of thin, round plates of plastic or metal, used for external storage: magnetic ___; floppy ____; optical ____.

Password Crackers

Software programs used to identify an unknown or forgotten password. Generates a key or may change a file to trick the software into allowing the cracker to use it as if the correct serial key had already been entered.

Operating System (OS)

Software used to control the computer and its peripheral equipment.

Simulation Exercise

Test performed under conditions as close to as possible to real-world conditions. The most hands one.

Time Offset

The amount of time added to or subtracted from Coordinated Universal Time (UTC) to arrive at the current local time.

Strategic Intelligence (STRATINT)

The collection, processing, analysis, and dissemination of intelligence for forming policy changes. -Foresight -Visioning -System thinking -Motivating -Partnering

Dump file

The file that stores the contents of a memory dump.

Communication Plan

The plan incorporates the goals of the strategy and crafts messages to solicit input and to provide information. The plan includes an analysis of various audiences, selection of channels of communication, timing for message dissemination, timing for input and reaction to messages, and ongoing monitoring of acceptance and resistance to change.

Autopsy

The premier end-to-end open source digital forensics platform with modules that come with it out of the box and others that are available from third-parties.

Network Flow (NetFlow)

The primary tool used to monitor packet flow on a network. Provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by ____, a network administrator can determine things such as the source and destination of traffic, class of service, and the causes of congestion.

Electronic Discovery (e-discovery)

The process of identifying and retrieving relevant electronic information to support litigation, government investigation, or Freedom of Information Act efforts.

Stakeholder Management

The project management knowledge area that focuses on the management and engagement of the project stakeholders. There are four processes in this knowledge area: identify stakeholders, plan stakeholder management, manage stakeholder engagement, and Monitor Stakeholder Engagement.

Data Sanitisation

This trims or strips strings, removing unwanted characters from strings. Tools that can be employed to securely remove data from electronic media.

Playbook

To provide all members of an organization with a clear understanding of their responsibilities towards cybersecurity standards and accepted practices before, during, and after a security incident.

Exploitation Frameworks

Tools used to store information about security vulnerabilities. They are often used by penetration testers (and attackers) to detect and exploit software. A structure of exploits and monitoring tools used to replicate attacks during a vulnerability assessment.

dd

Used for extracting evidence From Image File. __ file is an image file created out of ____ commands. ____ is a powerful and simple command-line utility to create disk images, copy files etc. seen in Unix or Linux OS.

Sn1per

one of the most amazing pentest frameworks for automated vulnerability scanning. Comes with tools such as theharvester, sqlmap, and sslscan to scan vulnerabilities. Automatically collects basic recon and explot vulnerabilities.