Security+ Chapter 14: Incident Response

Diamond Model of Intrusion Analysis

A framework for analyzing cybersecurity incidents and intrusions by exploring the relationships between four core features: adversary, capability, infrastructure, and victim adversary deploys a capability targeted at an infrastructure against a victim

Disaster Recovery Plan

Define the processes and procedures that an org will take when a disaster occurs. Unlike a BC plan, this plan focuses on natural and man-made disasters that may destroy facilities, infrastructure, or otherwise prevent an org from functioning normally. Focuses on restoration or continuation of services despite a disaster.

Segmentation

Employed before an incident occurs to place systems with different functions or data security levels in different zones or segments of a network. Can be done in virtual and cloud environments.

Email Metadata

Includes headers and other info found in an email. Email headers provide details about the sender, the recipient, the data and time the message was sent, whether the email had an attachment, which systems the email traveled through, and other header markup that systems may have added, including antispam and other info

Eradication (IR Cycle)

Involves removing the artifacts associated with the incident. In many cases, this will involve rebuilding or restoring systems and applications from backups rather than simply removing tools from a system since proving that a system has been fully cleaned can be very difficult. This step is crucial to ensuring the end of the incident

Identification (IR Cycle)

Involves reviewing events to identify incidents. You must pay attention to IoCs, use log analysis and security monitoring capabilities, and operating security tools and incident response capabilities

Walk-Throughs

Take a team step by step through an incident. Exercise can ensure that team members know their roles as well as the IR process, and that the tools, access, and other items needed to respond are available and accessible to them.

ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge)

The most comprehensive freely available database of adversary techniques, tactics, and related info. Some of their matrices include pre-attack, enterprise matrices focusing on Windows, macOS, Linux, and cloud computing, as well as iOS and Android. Also details mitigations, threat actor groups, software, and the like.

Lockheed Martin's Cyber Kill Chain

-Reconnaissance Target selection, research, vulnerability identify -Weaponization Creation of tools to exploit vulnerabilities -Delivery Weapon is delivered to target (email, thumb drive, etc) -Exploitation Malware is triggered and exploits vulnerabilities -Installation Remote access tools/backdoors installed -Command and Control (C2) Intruder has persistent access -Actions on Objective Intruder takes action to accomplish their goals: data acquisition and extraction, data damage, system damage

Security Information and Event Management (SIEM)

A software-enabled approach to aggregating, filtering, and managing the reaction to events, many of which are collected by logging activities of IDS/IPSs and network management devices.

Rsyslog

Alternative 'fast' version of syslog

Containment (IR Cycle)

Boxes in the threat once identified. Can be challenging and may not be complete if elements of the incident are not identified in the initial identification errors

Dump Files

Can contain info that shows the state of memory and the system at the time of a crash. If the crash occurred because of an attacker or exploit, or if malware or attack tools were on the system, the dump file may contain those artifacts

Simulations

Can include a variety of types of events. May simulate individual functions or elements of the plan, or only target specific part of an organization. They can also be done at full scale, involving the entire org in the exercise.

Network and Security Device Logs

Can include logs for routers and switches with config changes, traffic info, network flows, and data captured by packet analyzers like wireshark

Vulnerability Scan Output

Can provide clues about what attackers may have targeted, changes in services, or even suddenly patches issues due to attackers closing a hole behind them

Mobile Metadata

Collected by many phones and other mobile devices as they are used. Can include call logs, SMS and other message data, data usage, GPS location tracking, cellular tower info, and other details found in call data records.

Communication Plan

Critical to IR plans. A lack of or incorrect communication can cause significant issues for an org and its ability to conduct business.

Retention Policies

Determines how log data needs to be kept and how it will be disposed of. Important to incident responders since it may determine how long the org keeps incident data, how long logs will be avail, and what data is likely to have been retained and this may have been exposed if a system or data store is comp'd or exposed

Web Metadata

Embedded into websites as part of the code of the site but is often invisible to everyday users. Can include metatags, headers, cookies, and other information that help with search engine optimization, website functionality, advertising, and tracking, or that may support specific functionality

Business Continuity Plan

Focuses on keeping an organization functional when misfortune or incidents occur.

Lessons Learned (IR Cycle)

Important to ensure that orgs improve and do not make the same mistakes again.

System Logs (Event Viewer)

Include everything from service changes to permission issues. Windows system log tracks information generated by the system while running

Application Logs (Event Viewer)

Include info like installer info for apps, errors generation by apps, license checks, and any other logs that applications generate and send to the app log

File Metadata

Includes when a file was created, how it was created, if and when it was modified, who modified it, the GPS location of the device that created it, and many other details.

Containment

Leaves the system in place but works to prevent further malicious actions or attacks. Typically accomplished via firewall rules

Isolation

Moves a system into a protected space or network where it can be kept away from other systems. Remove from network, isolation VLAN, etc.

Runbooks

Operational procedure guides that orgs use to perform actions. Since they are procedural guides, these simplify the decision process for common operations that may support IR, and they can help guide and build automation for tasks like communications, malware removal, or scanning

IR Cycle/Steps

Preparation - Identification - Containment - Eradication - Recovery - Lessons Learned -

Syslog-ng

Provides enhanced filtering, direct logging to databases, and support for sending logs via TCP and protected by TLS.

Stakeholder Management Plan

Related to communication plans and focus on groups of individuals who have an interest or role in the systems, orgs, or services that are impacted by an incident.

Recovery (IR Cycle)

Restoration to normal is the heart of this phase. This may mean bringing systems or services back online or other actions that are part of a return to operations. This follows a complete, successful eradication phase and implements security patches to prevent the event

Secure Orchestration, Automation, and Response (SOAR)

Seek to meet the needs of managing multiple security technologies and using info from those platforms and systems to determine your org's security posture and status, while also managing security ops and remediating issues you identify. Allow you to quickly assess the attack surface of an org, the state of systems, and where issues may exist. Also allow automation of remediation and restoration workflows

Sensors

Software or hardware based that gathers useful data for the SIEM. Can forward it in original form or do preprocessing to optimize the data before the SIEM takes it in

Playbooks

Step by step guides intended to help IR teams take the right actions in a given scenario. Orgs build playbooks for each type of incident or event that they believe they are likely to handle, with examples ranging from advanced persistent threats to phishing attacks.

Security Logs (Event Viewer)

Store info about failed and successful logins, as well as other authentication log info

Syslog

Traditional Linux logs are sent via this.

Continuity of Operations Plan (COOP)

United States federal government initiative that ensured certain government agencies could still perform under certain conditions. Defines how federal agencies build a complete DR and BC plan.

Tabletop Exercise

Used to talk thru processes. Team members are given a scenario and are asked questions about how they would respond, what issues might arise, and what they would need to do to accomplish the. tasks they are assigned in the IR plan.

IR Policies

Will include components of the IR process. Will identify the team and the authority that the team operates under. These will also require the creation and maintenance of incident handling and response procedures and practices, they may also have specific communication or compliance requirement that are included in the overall policy based on org needs.

Preparation (IR Cycle)

You build the tools, processes, and procedures to respond to an incident. Includes building and training an IR team, conducting exercises, documenting what you will do and how you will respond, and acquiring, configuring, and operating security tools and incident response capabilities