Chapter 17 Preventing and Responding to Incidents Flashcards
What are the steps of the incident management process?
Detection, response, mitigation, reporting, recovery, remediation, lessons learned.
What is a DRDoS attack?
Distributed reflected denial of service attack. Does not directly attack but manipulates traffic so the victim tests it from other sources.
What is a SYN flood attack?
The attacker sends multiple SYN packets but never completes the action with an ACK.
What is a TCP reset attack?
Attackers can spoof the source IP address in a RST packet and disconnect active sessions. The two systems will then need to reconnect. Primarily an issue for systems that need persistent connections.
What is a smurf attack?
Smurf attack is another type of flood attack, but it floods the victim with ICMP echo packets instead of SYN packets. It is a spoofed broadcast ping request using the IP address of the victim as the source IP.
Normally, Ping uses ICMP to check connectivity with remote systems. By sending an echo request as a broadcast, all systems will respond with echo replies, so the victim gets flooded. These attacks take advantage of an amplifying network (aka smurf amplifier) by sending a directed broadcast through a router. However, a 1999 RFC change said routers shoudl not forward broadcast traffic. So that should limit smurf attacks to a single network. Also, many firewalls, routers, and servers disable ICMP.
What is a fraggle attack?
Fraggle attacks are similar to smurf attacks, but instead of using ICMP, they use UDP packets on UDP ports 7 and 19.
What are common log types?
Security logs: Record access to files, folders, printers, and other resources. Can record when a user accessed, modified, or delete a file. May need to be configured to record security logging on some systems.
System logs: Record system events such as when a system starts or stops, when services start or stop, or when service attributes are modified. Logs that detect when systems reboot, or when services are stopped or modified can help detect malicious activity.
Application logs: Record information for specific applications
Firewall logs: Record events related to any traffic that reaches a firewall. Typically includes SIP, DIP, and ports.
Proxy logs: Proxy servers improve Internet access performance and can control whate sites users can visit. Logs include which sites were visited and how long users spent there.
Change logs: Record change requests, approvals, and actual changes to a system as part of a change management process. Can be manually created or be part of a personnel record system. Useful for disaster recovery, since you can see the last known state.
What is syslog?
Protocol used to send event notification messages. A centralized syslog server receives these notifications. Typically used in Unix and Linux. The syslogd daemon handles the incoming messages. Some syslogd extensions allow the server to accept messages from any source.
What is clipping?
A form of nonstatistical sampling. Only selects events that exceed a clipping level, which is a predefined threshold. For example, instead of raising an alarm for every failed logon, a clipping level can raise an alarm if it detects five failed attempts in 30 minutes. Widely used to establish a baseline of routine system or user activity. This is not an accurate depiction of everything happening, like what a statistical sampling would give, but ess expensive and easier to implement.
What is the difference between a playbook and a runbook?
Playbooks are documents that define how to verify an incident and give details of responses. Runbooks automate the playbook data into an automated tool.
