Security+ 601 - Ch 14: Incident Response

Application logs

A common type of log file used by incident responders that include information like installer information for applications, errors generated by application, license checks, and any other logs that applications generate and send to this type of log.

Security logs

A common type of log file used by incident responders that store information about failed and successful logins, as well as other authentication log information.

Continuity of operation planning (COOP)

A federally sponsored program in the United States that is part of the national continuity program. This program defines the requirements that government agencies need to meet to ensure that continuity of operations can be ensured.

Dump files

A file created when a computer crashes and all contents in the memory are saved there. These files can be analyzed by using a tool such as Blue Screen Review.

Vulnerability scan output

A form of data that can be pulled into incident analysis activities. This data can provide clues about what attackers may have targeted, changes in services, or suddenly patched issues due to attackers closing a hole behind them.

Diamond Model of Intrusion Analysis

A framework for analyzing cybersecurity incidents and intrusions by exploring the relationships between four core features: adversary, capability, infrastructure, and victim.

Cyber Kill Chain

A systematic seven step outline of the process of a cyber attack, introduced at Lockheed Martin in 2011. 1. Reconnaissance, 2. Weaponization, 3. Delivery, 4. Exploitation, 5. Installation, 6. Command and Control (C2), 7. Actions on Objective.

SIEM rules

The conditions set in a SIEM dashboard that can use logic to determine if the dashboard will simply trigger an alert or be as complex as a programmatic action that changes infrastructure, enables or disables firewall rules, or triggers other defense.

Preparation phase

The first phase in the incident response cycle. In this phase you build the tools, processes, and procedures to respond to an incident. That includes building and training an incident response team, conducting exercises, documenting what you will do and how you will respond, and acquiring, configuring, and operating security tools and incident response capabilities.

Eradication phase

The fourth phase in the incident response cycle. This phase involves removing the artifacts associated with the incident. In many cases, that will involve rebuilding or restoring systems and applications from backups rather than simply removing tools from a system since proving that a system has been fully cleaned can be very difficult. Complete eradication and verification is crucial to ensuring that an incident is over.

Runbooks

The operational procedures guides that organizations use to perform actions. They simplify the decision process for common operations that may support incident response, and they can help guide and build automation for tasks like communications, malware removal, or scanning.

Incident response process

The phases of incident response, including preparation. identification. containment, eradication, recovery, and lessons learned.

Lessons learned phase

The sixth phase in the incident response cycle. This phase is important to ensure that organizations improve and do not make the same mistakes again. They may be as simple as patching systems or as complex as needing to redesign permission structures and operational procedures. The team takes what was learned and uses it to inform the preparation process, and the cycle continues.

Disaster recovery (DR) plans

These IR plans define the processes and procedures that an organization will take when a disaster occurs. They focus on natural and man-made disasters that may destroy facilities, infrastructure, or otherwise prevent an organization from functioning normally. They focus on the restoration or continuation of services despite a disaster.

Stakeholder management plans

These IR plans help with prioritization of which stakeholders will receive options to offer input or otherwise interact with the IR process, communications and support staff, or others involved in the response process.

Communications plans

These IR plans should be in place to ensure there is no lack of communication, incorrect communication, or just poor communication that would cause significant issues for an organization and its ability to conduct business.

SIEM sensor

These are deployed across the network to monitor and collect changes that are noted in log files to give visibility as events occur. Information is then sent to SIEM dashboards.

Playbooks

These are step-by-step guides intended to help incident response teams take the right actions in a given scenario. Organizations will build these guides for each type of incident or event that they believe they are likely to handle.

Table exercises

These exercises are used to talk through processes. Team members are given a scenario and are asked questions about how they would respond, what issues might arise, and what they would need to do to accomplish the tasks they are assigned in the IR plan. This can resemble a brain storming session as team members think through a scenario and document improvements in their response and the over IR plan.

Simulations

These exercises can include a variety of types of event. Exercises may simulate individual functions or elements of the plan, or only target specific parts of an organization. They can also be done at full scale, involving the entire organization in the exercise. It is important to plan and execute simulations in a way that ensures that all participants know that they are engaged in an exercise so that no actions are taken outside of the exercise environment.

SIEM trends

A SIEM dashboard capability that allows the user to view trend information that can point to a new problem that is starting to crop up, an exploit that is occurring and taking over, or simply which malware is most prevalent in your organization.

SIEM sensitivity and thresholds

A SIEM dashboard capability that lets you set threshold, filters rules, and use other methods of managing the sensitivity of the SIEM. Alerts may be set to activate only when an event has happened a certain amount of times, or when it impacts specific high-value systems.

SIEM alerts and alarms

A SIEM dashboard capability that notifies the user if an alarm goes off. The alarms can be categorized by their time and severity, then provide detailed information that can be drilled down into.

System logs

A common type of log file used by incident responders that include everything from service changes to permission issues of a system and tracks information generated by the system while it is running.

Security information and event management (SIEM)

A method for analyzing risk in software systems. It is a centralized collection of monitoring of security and event logs from different systems. SIEM allows for the correlation of different events and early detection of attacks.

SIEM Dashboard

A program that can be configured to show the information considered most useful and critical to an organization or to the individual analyst. They include sensors that gather and send information to the SIEM, trending and alerting capabilities, correlation engines and rules, and methods to set sensitivity and levels.

Authentication logs

A type of log that are useful to determine when an account was logged into and may also show privilege use, login system or location, incorrect password attempts, and other details of logins and usage that can be correlated to intrusions and misuse.

DNS logs

A type of log that provides information about DNS queries.

Secure Orchestration, Automation, and Response (SOAR)

Automating security tasks by using playbooks and runbooks. Contains a checklist of actions that should be performed by human staff when a security incident occurs.

Metadata

Data that describes other data. This type of data can be found in emails, mobile devices, websites, and files.

Recovery phase

The fifth phase in the incident response cycle. This phase has you brining systems or services back online or other actions that are part of a return to operations. This phase requires eradication to be successful, but it also involves implementing fixes to ensure that whatever security weakness, flaw, or action that allowed the incident to occur has been remediated to prevent the event from immediately reoccurring.

Isolation

The process of moving a system into a protected space or network where it can be kept away from other systems.

Segmentation

The process of using security, network, or physical machine boundaries to build separation between environments, systems, networks, or other components and is often employed before an incident occurs.

Identification phase

The second phase in the incident response cycle. This phase involves reviewing events to identify incidents. You must pay attention to indicators of compromise, use log analysis and security monitoring capabilities, and have a comprehensive awareness and reporting program for your staff.

Incident response team

The team that manages and executes the IR plan by detecting, evaluating, and responding to incidents. This team usually contains leadership, information security staff, technical experts, communication and public relations staff, legal and human relations (HR) staff, and law enforcement.

Containment phase

The third phase in the incident response cycle. Once an incident has been identified, the incident response team needs to contain it to prevent further issues or damage.

Business continuity (BC) plans

These IR plans focus on keeping an organization functional when misfortune or incidents occur.

Walk-throughs

These exercises take a team through an incident step by step. This exercise can help ensure that team members know their roles as well as the IR process, and that the tools, access, and other items needed to respond are available and accessible to them. This exercise is an excellent way to ensure that teams respond as they should without the overhead of a full simulation.

Web logs

These types of logs have information from tracking requests to a web server and related events.

MITRE's ATT&CK framework

This framework includes detailed descriptions, definitions, and examples for the complete threat lifecycle from initial access through execution, persistence, privilege escalation, and exfiltration. At each level it lists techniques and components, allowing threat assessment modeling to leverage common descriptions and knowledge.

Network and security device logs

This information can include logs for routers and switches with configuration changes, traffic information, network flows, and data captured by packet analyzers like Wireshark.

SIEM log files

This is a product of a SIEM dashboard that provides incident responders with information about what has occurred.

Retention policy

This policy determines how long you keep data and how it will be disposed of.

Containment

This process leaves the system in place but works to contain and prevent further malicious actions or attacks.

Alert fatigue

When an excessive number of alerts are used in an information system, users get tired of looking at the alerts and may ignore them.