Ch-14 Flashcards
(7 cards)
Incidence Response Cycle
Preparation Identification Containment Eradication Recovery Lessons Learned
Exercises
Tabletop - More or less a brain storming session as scenarios are given and solutions are found. Typically with the team leaders.
Walk-through - Step by step with all team members
Simulation - May simulate a single function or an entire event.
Incident Response Plan
Communication Plans
Stakeholder Management Plans
Business Continuity Plans
Disaster Recovery Plans
Government Organizations must have -
COOP - Continuity Of Operation Planning Phase 1 - Readiness and Preparedness Phase 2- Activation and Relocation Phase 3- Continuity of Operations Phase 4- Reconstitution
Organization Policies
Policies - Formal statements of intent
Incident Response Policies - Will include important components of the IR process. Will id the team and the authority that the team operates under. May also have specific communication and compliance requirements.
Retention Policies - How long data is kept and how it will be disposed of.
Attack Frameworks
MITRE ATT&CK - Detailed descriptions and examples of the complete threat life cycle. Listing techniques and components at each step. Comprehensive and Free
Diamond Model of Intrusion - Helps to paint a picture on the attack.
Core features - Victim, Adversary, Capability, and Infrastructure
Cyber Kill Chain - Seven steps of an attack made by Lockheed Martin.
Steps - 1- Reconnaissance , 2- Weaponization, 3- Delivery , 4- Exploitations , 5- Installation , 6- C&C/Persistence , finally 7- Actions on Objectives
Incident Response Tools
SIEM - Collect and aggregate log data. Allows for correlation of network data.
log tools -
syslog - logs are sent via syslog
rsylog - for when syslog is to slow
syslog-ng - provides enhanced filtering, direct logging to databases and sending logs via TCP using TLS
NXLog - Open source centralization of logs that can parse and generate log files
systemd - Managing services, proccesses and the system itself in linux
journalctl - Access the systemd journal Ex: Since last boot $ journalctl -b
Filter by time $ journalctl -since “year-month-day hour:minute:second”
Isolation
Containment
Segmentation
Isolation - Moving a system to a protected space or network(removal from network, VLAN, or by security rules in a VM or cloud) while allowing inspection and investigation.
Containment - Leaves system in place but prevents further malicious actions.
Network-level containment is frequently accomplished using firewall rules or similar capabilities to limit the traffic.
System and application-level containment can be more difficult without shutting down the system or interfering with the functionality and state of the system, which can have an impact on forensic data. Therefore, the decisions you make about containment actions can have an impact on your future investigative work. Incident responders may have different goals than forensic analysts, and organizations may have to make quick choices about whether rapid response or forensic data is more important in some situations.
Segmentation - often employed before an incident occurs to place systems with different functions or data security levels in different zones or segments of a network. Segmentation can also be done in virtual and cloud environments.
