LDR 551- Book 4 Flashcards
1
Q
What is the Internet Storm Center?
A
Internet’s early warning system
2
Q
What are the four key elements of incident response preparation according to Brown and Roberts?
A
Telemetry, hardening, process, practice
3
Q
Why is visibility foundational in incident response?
A
It’s essential for investigation and response activities.
4
Q
What helps prioritize response efforts in incident response?
A
Analytics, key assets, users, and contextual information
5
Q
Why is having solid process documentation important in incident response?
A
Prevents figuring out procedures on the go.
6
Q
What is often the most overlooked part of incident response?
A
Practice
7
Q
What must incident response tools, services, and skillsets meet?
A
Requirements of the environment and constituency
8
Q
What informs incident response staffing strategy?
A
Incident response goals
9
Q
What is essential for effective incident response teamwork?
A
Strong interpersonal relationships and good communications
10
Q
What should your SOC consider for each device type and location?
A
Readiness for different incident scenarios
11
Q
What is a main consideration for SOC planning?
A
Scenarios the SOC is willing and capable of responding to
12
Q
What is a key aspect of prevention as preparation?
A
Preparing infrastructure to resist intrusion
13
Q
What are CIS benchmarks?
A
Best practices for secure configurations
14
Q
What are the two levels of CIS security settings?
A
Level 1 and Level 2
15
Q
What does Level 1 security setting aim to achieve?
A
Basic security with little impact on functionality
16
Q
What does Level 2 security setting aim to achieve?
A
Greater security but may reduce functionality
17
Q
What are CIS hardened images?
A
Securely configured virtual machine images
18
Q
What is NIST SP 800-123?
A
Guide to General Server Security
19
Q
What is the purpose of the NIST National Checklist Program?
A
Provides a searchable index of hardening guides
20
Q
What are DISA STIGs?
A
Step-by-step checklists for locking down systems
21
Q
What is the Australian Signals Directorate known for?
A
Detailed system configuration guides
22
Q
What are the CIS Controls?
A
Prioritized actions for defense against attacks
23
Q
How are CIS Controls organized?
A
By activities, not by who manages devices
24
Q
What should you understand about your environment for effective security?
A
Normal operations in networks, hosts, applications, users
25
What is a good exercise for incident response preparation?
Trace "control" events through existing telemetry
26
What are the three components of incident response governance?
Policy, Plan, Procedure
27
What are the three foundational documents for incident response?
Policy, plan, and procedure
28
What is the purpose of the incident response policy?
High-level direction setting document
29
What does the incident response plan define?
Mission, strategies, and goals of the team
30
What are the phases of incident response according to NIST SP 800-61r2?
Preparation, Detection and Analysis, Containment, Eradication and Recovery, Post-Incident Activity
31
What should the incident response procedure include?
Technical processes, checklists, forms, templates, roles, responsibilities
32
What are the common IR team structures?
Centralized, Distributed, Coordinating
33
What is a coordinating team?
Provides help to other teams with higher authority.
34
Which team format is ideal for large organizations with in-house capabilities and a full SOC?
Distributed Team
35
What is the advantage of distributed teams?
Fastest response times.
36
Which SOC model is suitable for smaller, geographically bounded organizations?
Single centralized SOC model
37
In what scenario is a coordinating SOC commonly found?
Government scenarios with multiple authority levels.
38
What factors should be considered when selecting an IR team type?
Expected workload, team size, budget, expertise, availability.
39
What is the simplest staffing model for incident response?
Full in-house set of employees.
40
When might a partially outsourced IR capability be chosen?
Small budget or rare large incidents.
41
What is a key benefit of partially outsourcing IR capabilities?
Reduces costs for rarely needed specialties.
42
Why might a small business fully outsource its IR capabilities?
Lack of staff or in-house experience.
43
What is a hybrid partial outsourcing model used for?
To help stand up a new IR team.
44
What is crucial for effective incident response in multi-team systems?
Technical and social processes.
45
What role does a SOC lead play in communication during an incident?
Ensures direction and shields team from distractions.
46
What did the 2016 study on incident response emphasize?
Integration of technical and social processes.
47
What are common social failings in incident response teams?
Poor communication and collaboration.
48
What can help minimize communication failures during an incident?
Communications charters, plans, protocols.
49
What is the difference between taskwork and teamwork?
Taskwork is goal-related; teamwork is for coherence.
50
What must leadership coordinate in multi-team systems?
Teamwork and taskwork activities.
51
What is required for effective incident response?
Multiple teams and individuals working together
52
What drives incident response outcomes?
Taskwork-driven results and outcomes
53
Why is teamwork necessary in incident response?
To accomplish taskwork sustainably and repeatably
54
What happens without effective teamwork in incident response?
Too much variance and reliance on key individuals
55
What should incident response plans and training focus on?
Ensuring teams can work together effectively
56
What is the superordinate goal in an MTS Goal Hierarchy?
Protect Value Generation
57
What are the three main goals in incident response?
Identify, contain, eradicate threats; recover systems and data
58
What makes incident response inherently chaotic?
Requires many teams to work together across boundaries
59
What is a challenge if SOC team isn't wholly responsible for incident response?
Conceptualizing ownership of functions
60
What did Mark Orlando and Dr. Daniel Shore discuss in their Black Hat Europe 2022 talk?
Increasing efficiency in incident response
61
What is the purpose of an MTS Goal Hierarchy Diagram?
Map out functions contributing to incident response goals
62
What is a precursor to documenting roles and responsibilities in incident response?
Creating MTS Goal Hierarchy diagrams
63
What does an MTS Interaction Diagram help understand?
Relationships needing attention in procedures and plans
64
What can an MTS Interaction Diagram be used as?
Diagnostic for team interactions
65
Why is there a very high level of interaction between the Watch and Engineering Teams?
Engineering supports containment and recovery tasks
66
What should be done given the high interaction level between Watch and Engineering Teams?
Involve Engineering in preparation and training
67
What is the key distinction between incident response and incident management?
Incident response focuses on technical activities; incident management on business risk
68
When do incident response activities generally end?
When impacted systems and data are restored
69
What do technical tasks rarely address?
Mitigation or remediation of business risk
70
What does incident management (IM) address?
Business issues during an organizational crisis
71
Who supports the IM process?
Cross-functional group of stakeholders
72
When is an IM process typically initiated?
During incidents rising to an organizational crisis
73
What might a ransomware incident require?
Negotiation, law enforcement coordination, third-party experts
74
What should your incident response plan reference?
The IM process and key stakeholders
75
What are foundational elements of IR capability?
Incident response governance, staffing models, infrastructure hardening
76
What does incident response require as a multi-team effort?
Deliberate and effective teamwork
77
What may not be enough during an organizational crisis?
Existing IR plans, policies, and procedures
78
When is an incident identified?
When there is measurable/observable impact
79
What is a common characteristic of incident activities?
Evidence demonstrating negative or impending impact
80
What is important for incident detection?
High fidelity detections
81
What should be assigned once an incident is declared?
Incident handler/lead
82
What might the incident handler decide at the response stage?
Deeper forensic data collection
83
Role of the IR Lead
Facilitates communication, collaboration, and task management
84
Qualifications of an IR Lead
Experienced with IR best practices and decision-making
85
Primary Responsibilities of IR Lead
Serve as primary source of truth, establish communication channels
86
Who are Subject Matter Experts?
SOC analysts, engineers, or system owners
87
Role of the Scribe
Collects information and documents incidents
88
Intentional Evidence
Data created for auditability
89
Unintentional Evidence
Byproduct of other processes, e.g., Windows event logs
90
Importance of Compliance in IR
Avoid fines, penalties, lawsuits, and criminal penalties
91
Examples of Compliance Regulations
HIPAA, PCI DSS, FISMA
92
Incident Categorization Options
NIST 800-61r2, Verizon's VERIS
93
What is the benefit of the NIST 800-61 system?
It ranks dimensions like functional impact, information impact, and recoverability.
94
What is a drawback of the VERIS system?
It can go into an almost absurd amount of detail.
95
How can you address the complexity of the VERIS system?
Use only a subset of the VERIS framework.
96
When can you create a custom incident recording system?
If you don't need to share metrics outside your organization.
97
What is the benefit of linking VERIS to MITRE ATT&CK?
It ties incident metrics to specific threat actors or TTPs.
98
What new resource helps align VERIS with ATT&CK?
The ATT&CK-to-VERIS GitHub repo.
99
What are the two big categories in forensic analysis?
Investigation and Response.
100
What should you do during initial incident response?
Get baseline parameters and preserve volatile evidence.
101
What tools can help preserve evidence quickly?
EDR and SOAR tools.
102
What is the purpose of a playbook in incident response?
Guidance for responding to various scenarios.
103
What should be avoided when writing playbooks?
Over-engineering the incident response process.
104
What should a well-written playbook answer?
Who do I call first? and "What information do I need?"
105
How often should playbooks be reviewed?
Periodically, for relevance and timeliness.
106
What is the purpose of reference models in technical response playbooks?
To guide writing technical response playbooks.
107
What does an example playbook standardize?
Actions the team takes.
108
What should be done before escalation/closure as false positive?
Standardized actions.
109
Who handles manual investigative steps in a playbook?
Analysts.
110
Who handles automatable actions in a playbook?
SOAR platform.
111
What does a playbook ensure when a common event occurs?
Thorough investigation before closure.
112
What mix do playbooks often have?
Mandatory and optional steps.
113
What should be taken by analysts in a playbook?
Manual steps.
114
What can be performed with a SOAR platform in a playbook?
Simple data gathering and automated actions.
115
What are common errors when making playbooks?
Making too many or too strict playbooks.
116
What happens if playbooks are too strict?
Analysts work around the playbook.
117
What should high-level generic playbooks focus on?
What to do, not necessarily how.
118
What does a SOAR platform do in playbook-centric alert work?
Enriches data and makes decisions.
119
What does a SOAR system eliminate from analyst workflow?
Repetitive, non-value-added steps.
120
What is an example of a system similar to playbooks?
TheHive's "Case templates".
121
What does Adaptive Case Management enable?
Flexibility without sacrificing structure.
122
What does Adaptive Case Management involve?
Customizing the incident management system.
123
What should be captured during an incident?
Action items, timeline, leads, and outcomes.
124
What context should be tracked during an incident response?
Kill chain context for observed events.
125
What is a key metric for incident response?
Time to detection after initial compromise.
126
What is a common workflow for finding the initial point of compromise?
Move from known detection to infection point.
127
What is the most common workflow in incident detection?
Move from detection (D) to infection (C).
128
What should be scrutinized once point C is known?
Network and host data.
129
What should you look for in a multi-machine attack?
Evidence of lateral movement (B).
130
What should the SOC do after finding the real first point of access?
Time bound its search.
131
What becomes easier once pivoting tactics are exposed?
Finding each additional effect machine.
132
What is the SOC's goal from point D to E?
Get there as quickly as possible.
133
What is another goal of the SOC in general?
Minimize time between A and D.
134
What defines an ideal SOC?
Go from A to D and D to E in zero time.
135
What should be avoided in IR communications?
Attribution and jargon.
136
What is crucial in good IR communications?
Be clear, timely, and responsible.
137
Why should the security team provide updates?
To avoid dangerous assumptions.
138
Who should the updates be easily understood by?
A non-technical audience.
139
What is important in incident management?
Subtle distinctions in scenarios.
140
What might the IR team look for if usernames and passwords are stolen?
Where the passwords may be stored.
141
What does attackers using tokens suggest?
User logged in somewhere infected.
142
What role might SOCs designate for non-technical updates?
Scribe or incident coordinator.
143
What should be avoided when communicating with executives?
Technical jargon and vendor name-dropping.
144
What is the job of a leader in IR communications?
Bring order to chaos.
145
Why is shared understanding vital in incident response?
To address the same problem set.
146
What should be ensured from a communications perspective in IR?
Response procedures are followed.
147
Delegate technical tasks and collect inputs from whom?
Subject matter experts and other stakeholders
148
What should communication channels be compared to?
Staging area outside a burning building
149
How should productivity in communication channels be guarded?
Ruthlessly, even shutting down discussions
150
What should documentation during an incident consider?
OPSEC & data privacy, archivable, accessible
151
Where should findings and actions be stored during a response?
In a place accessible to team members
152
What may be sufficient for storing case notes?
Ticketing system
153
What features should a repository have during an incident?
Quick setup, organized actions, accessible
154
What are examples of real-time collaboration platforms?
Slack, Signal, online documents
155
What should text in any solution be?
Archivable or available for reference
156
What should be documented to brief the larger team?
Impacted users and systems
157
What should be collected during an incident?
Private keys, certs, API keys
158
What should be identified related to malicious activity?
IP addresses and domains
159
What should be shared in the early hours of an incident?
Indicators of compromise, compromised hosts
160
What is crucial in the early stages of an incident?
Answering key questions, minimizing damage
161
What can playbooks do in an incident response?
Reduce panic, improve quality and consistency
162
What should be built into your incident management system?
Steps in your playbooks
163
What are the objectives of Exercise 4.2?
Brainstorm tasks, develop playbook, build into system
164
What does forensic analysis in IR often require?
Additional capture and analysis
165
What makes forensic analysis more complex?
Cloud, mobile, virtualization technologies
166
What are the key data types required to fully scope and respond to an intrusion?
Network communications, running processes, file listings, user actions.
167
What combination is usually incorporated at the network layer for incident response?
Full packet capture and summary data.
168
What tools can be used at the host layer for incident response?
Agent-based tools, WMI, PowerShell.
169
What are the focuses of incident response tools in modern environments?
Live data, non-persistent and real-time data.
170
What might the incident response function include?
Forensic capture and analysis, system restoration.
171
What are the types of forensic analysis mentioned?
Memory, disk, network, mobile, cloud storage, data analysis.
172
What does forensic analysis of volatile memory include?
Memory caches, active network connections, processes.
173
What does network forensic analysis focus on?
Network packets and traffic.
174
What does mobile forensic analysis involve?
Device internals, hardware, filesystems.
175
What does cloud storage forensic analysis examine?
File-based, object, and block filesystems.
176
What are the steps in the digital media analysis workflow?
Identify goals, copy artifacts, analyze, extract, report.
177
What is the first step in the digital media analysis workflow?
Identify investigative goals or questions.
178
What is the purpose of copying artifacts in digital media analysis?
To avoid changing original media.
179
What are some tools for disk and media capture and analysis?
Autopsy, SleuthKit.
180
What are some tools for drive reconstruction?
Forensic Toolkit (FTK), EnCase.
181
What are some tools for malware analysis?
Velociraptor, Sysmon, OSQuery.
182
What are some live distributions for incident response?
REMnux, SIFT, FLARE.
183
What are the types of enterprise security tools mentioned?
EDR, NDR, XDR
184
What should you consider when assembling your IR toolset?
Frequency, type, reporting requirements, team skillset
185
What factors impact forensic analysis decisions?
Remote vs local, cost, data format, CLI/GUI, full dump or key artifacts
186
Why is it risky to log into a compromised system?
Credentials may be stolen and used for lateral movement
187
What are interactive logins?
Logins where you interactively use the machine (e.g., RDP, PsExec)
188
What are noninteractive logins?
Logins like mapping a drive on a remote file share
189
What can attackers do if they obtain your credentials?
Pivot to other systems within the organization
190
What is the RDP Restricted Admin Model?
Connects via RDP without storing credentials in memory
191
What is Windows Defender Remote Credential Guard?
Prevents pass-the-hash attacks, uses Kerberos
192
What is a disadvantage of Windows Defender Remote Credential Guard?
Service tickets are vulnerable during their lifetime
193
What capabilities does PowerShell provide for incident response?
Data collection, analysis, mitigation actions
194
What data sources can PowerShell access for investigations?
WMI, COM, .NET, Windows API
195
What types of data can PowerShell collect?
Files, registry artifacts, logs, volatile processes, network info
196
What is PowerShell's scripting language type?
Object-based
197
What service does PowerShell use for remote management?
Windows Remote Management (WinRM)
198
Why is PowerShell suitable for large scale remote operations?
Runs actions in parallel on targets
199
What is a key benefit of PowerShell remoting?
Agentless, uses built-in WinRM
200
What makes PowerShell a cost-effective option?
Low cost if skillsets are present
201
Since when has Windows Remote Management been available?
PowerShell 2.0 and Windows 7
202
What Windows versions have WinRM enabled by default?
Windows Server 2012 and 2016
203
What is PsExec part of?
Microsoft's Sysinternals suite
204
What is a common use of PsExec in incident response?
Remote script execution
205
What should you be cautious of when using PsExec?
May leave credentials open to theft
206
What does WMI enable users to do?
Query WMI object instances
207
Why is WMI a robust data source?
Almost all Windows actions generate WMI events
208
What is a powerful feature of WMI for attackers and defenders?
WMI events for real-time notifications
209
What is EDR great for?
Forensic analysis and threat hunting
210
Who coined the term Endpoint Detection and Response (EDR)?
Anton Chuvakin
211
What is EDR compared to traditional host-based controls?
EDR expands upon traditional host-based controls by providing visibility.
212
What are some examples of commercial EDR platforms?
FireEye HS, CrowdStrike Falcon, Microsoft Defender.
213
What is Wazuh?
An open source EDR with various capabilities.
214
What is NDR?
A class of security technologies using non-signature-based techniques.
215
What do NDR platforms often leverage?
Automated statistical analysis techniques.
216
What does XDR stand for?
Extended Detection and Response.
217
How does XDR improve upon EDR?
Incorporates cloud and network data sources.
218
What is the advantage of consolidating data at the host layer in XDR?
More effective triage and faster response actions.
219
What are the two main methods of malware analysis?
Automated analysis and manual analysis.
220
Why might automated malware analysis fail?
Malware may detect the sandbox or be in an unsupported format.
221
When is manual malware analysis necessary?
For highly complex malware with anti-analysis features.
222
What is essential for extracting IOCs from malware?
Manual malware analysis capability
223
Name three online malware analysis services.
VirusTotal, Joe Sandbox, Hybrid Analysis
224
What should you remember when using online malware analysis services?
Remember your OPSEC
225
What are common offline/on-prem malware analysis tools?
Cuckoo sandbox, Sandboxie
226
Name two popular free utilities for static malware analysis.
YARA, FireEye's FLOSS
227
Which SANS course teaches reverse-engineering malware?
SANS FOR610
228
What is a key consideration when choosing forensic tools for your team?
Service hours and SLAs for forensic analysis
229
What should be documented in your Incident Response Plan?
Triggers and inputs for forensic analysis
230
Name two immediate training courses for incident responders.
SANS SEC504, SEC503
231
What does SANS SEC504 focus on?
Incident handling and attacker perspective
232
What does SANS SEC503 focus on?
Deep dive into network traffic
233
Name a reference book for incident response tools and processes.
Applied Incident Response by Steve Anson
234
What is the first action during incident response?
Containment
235
What is of primary importance during containment?
Stop the bleeding
236
What is the goal of containment procedures?
Quick, tactical actions to stop attack progression
237
What should you consider when containing network traffic?
Cut off the system from the internet, internal network, or both.
238
What are some host-based containment methods?
Blocking and killing malicious processes, host-based firewalls
239
What should you do after identifying an active incident?
Take the first step to disrupt the activity: containment.
240
What should containment procedures involve?
Understanding the threat, planning action, informing stakeholders
241
What is a potential risk when blocking a primary domain or IP?
Malware may use backup command and control servers.
242
What is the goal of eradication procedures?
Fully removing the attacker from the environment
243
What are some eradication strategies?
Automated removal, surgical removal, wipe and rebuild
244
When might surgical removal be preferred over wipe and rebuild?
When zero downtime is the priority
245
What should be considered before immediate containment or eradication?
Context of the incident and potential OPSEC risks
246
How can you identify if you're not dealing with a highly advanced attacker?
If malware is publicly known or referenced in blogs.
247
What should you do if dealing with a non-targeted malware infection?
Clean up any machine with the infection.
248
What approach is recommended for a potential targeted attack?
Watch and learn approach.
249
What is the strategy for dealing with a targeted attack?
Closely watch the infected asset and review its history.
250
What is a risk of acting too quickly against a targeted attack?
Adversary may have multiple entry points and be tipped off.
251
What might adversaries do once they know you've detected them?
Change tactics, spread, or go silent.
252
Do real-world adversaries change tactics upon detection?
Yes, even penetration testers and Red Teams do this.
253
What must be done with digital evidence?
Documented, secured, labeled, and preserved.
254
Why is adhering to high standards in evidence preservation beneficial?
Protects from loss in insurance claims, lawsuits, or regulatory violations.
255
What should you consider when gathering additional evidence from affected hosts?
Data acquisition strategy.
256
What helps maintain consistency and reduce panic during a response?
Cataloging actions in playbooks.
257
What should be enabled for cloud incident response preparation?
Non-default events logging.
258
What logs are needed for cloud-based incident response?
Sign-in activity, data access, network flow, application/OS logs.
259
What should be considered when changing default logging configurations?
Additional charges and processing/storage requirements.
260
What should be decided regarding cloud logging?
How to centralize logging.
261
What may result from changing default retention periods for cloud-native log storage?
Additional costs.
262
What do incident responders require for effective investigation?
Enhanced access to the environment.
263
Minimum access required for cloud incident response
Read access for logs, write access for snapshots
264
Why is understanding cloud computing concepts critical for responders?
To interpret cloud telemetry and infrastructure
265
What should you revisit for cloud forensics and incident response?
Team's knowledge, skills, abilities, competencies
266
What is the Open Cybersecurity Schema Framework (OCSF)?
Common language for threat detection and investigation
267
How does OCSF simplify security logging?
By simplifying data ingestion and normalization
268
What makes OCSF suitable for multi-cloud environments?
Agnostic to storage format, ETL processes
269
How are OCSF schema files written?
As JSON, machine-readable and easy to interpret
270
What is the MITRE ATT&CK Cloud Matrix used for?
Expanding threat models for cloud infrastructure
271
What should guide SOCs preparation for cloud incident response?
Threat intelligence and applicability to environment
272
What is recommended to ensure cloud IR effectiveness?
Regular purple team and red team tests
273
Primary source of cloud telemetry
System logs via cloud utility or logging API
274
Indicators of malicious activity in cloud billing
Unusual or unexpected spikes in usage charges
275
What can help baseline cloud environment effectively?
Early challenging work with infrastructure support
276
Considerations for deeper forensic analysis in cloud
Forensic toolset, evidence handling, cloud-native tools
277
Concerns with exporting cloud data for analysis
Cost and chain of custody concerns
278
Alternative to exporting cloud data for analysis
Cloud-native forensics using pre-built forensic VMs
279
What is a potential benefit of increasing storage and processing power of machines during an incident?
Avoiding bulk data export during an incident
280
How can read-only access to data help during an investigation?
Maintains chain of custody
281
What types of cloud-native tools might be incorporated into a forensic toolkit?
Log analysis platforms, SIEMs, AWS Lambda, Google Cloud Functions, Azure Functions
282
Where can you learn more about spinning up a forensics lab using cloud technologies?
AWS CloudFormation, Azure Resource Manager, Google Cloud Deployment Manager
283
What are the three domains where containment can occur in the cloud?
Service domain, Infrastructure domain, Application domain
284
Why is containment more challenging in the cloud compared to on-prem?
Control over only a portion of the impacted system
285
What should you understand based on your organization's cloud deployment model?
Containment options available
286
How can you conceptualize your cloud environment?
As service domain, infrastructure domain, and application domain
287
What is a key advantage of using cloud infrastructure?
Portability and ephemerality
288
What should you do to classify security incidents in the cloud?
Work with infrastructure teams and site reliability engineers
289
What should you know about your cloud service provider for effective incident response?
Telemetry enabled by default versus what is available
290
What is a good first place to check for information on cloud services?
Accounting for billing details
291
What should SOC incident leads be trained on?
Investigating and responding to incidents in the cloud
292
What varies between different cloud service providers (CSPs)?
Approaches and capabilities
293
What are the two main tactics to overcome short-term memory limitations in investigations?
Decomposition and externalization
294
What is decomposition in the context of investigations?
Breaking down a complex problem into fundamental parts
295
What is externalization in the context of investigations?
Getting data out of your head into a visible form
296
Who recommends decomposition and externalization for analysis?
Richards J. Heuer, Jr.
297
What is the first question in The Alexiou Principle?
What question are you trying to answer?
298
What is the second question in The Alexiou Principle?
What data do you need to answer that question?
299
What is the third question in The Alexiou Principle?
How do you extract that data?
300
What is the fourth question in The Alexiou Principle?
What does that data tell you?
301
What should analysts avoid doing immediately during an investigation?
Chasing the first intuitive idea
302
What is the goal of breaking down the investigation task into atomic questions?
To lead to the conclusion of the larger question
