Lesson 12: Explain Incident Response and Monitoring Concepts Flashcards
1
Q
Define an ‘Incident’
A
An event that interrupts standard operations or compromises confidentiality, integrity, or availability.
2
Q
Define an ‘Incident response policy/plan (IRP)’
A
Defines the resources, processes, procedures, and guidelines for dealing with cybersecurity incidents.
3
Q
What are the seven steps of CompTIA’s incident response lifecycle?
A
- Preparation
- Detection
- Analysis
- Containment
- Eradication
- Recovery
- Lessons learned
4
Q
Define the first step (preparation) of the CompTIA incident response lifecycle
A
Hardening systems, writing policies and procedures, and setting up confidential lines of communication; implies creating IRP.
5
Q
What features does a security information and event management (SIEM) have to assist in preparation?
A
- Incident detection for collection and analysis of environment
- Digital forensics for validating data
- Case management tools for logging incidents and coordinating response activities
6
Q
Define the second step (detection/identification) of the CompTIA incident response lifecycle
A
The process of correlating events from network and system data sources and determining whether they are an IoC.
7
Q
Define a ‘Call list’
A
A document listing authorized contacts for out-of-band notification and collaboration during a security incident.
8
Q
Define the third step (analysis) of the CompTIA incident response lifecycle
A
Process in which IoCs are assessed to determine validity, impact, category, and priority.
9
Q
What is necessary for an IoC to be a true positive incident?
A
Correlating multiple indicators.
10
Q
What is the next step after validating a true IoC?
A
Identify the type of incident and the data or resources affected; establishing the category and impact allows determination of priority.
11
Q
How does the value of data affect impact of an IoC?
A
The move valuable the data the higher the impact of the IoC.
12
Q
Define ‘downtime’ and how it can affect impact
A
The degree to which an incident disrupts business processes; Longer downtime means higher impact.
13
Q
When determining the scope, what factors can affect impact of the IoC?
A
The number of affected systems; the type of affected systems, and how the systems have been affected.
14
Q
How does detection time affect the impact of an IoC?
A
The longer it takes to detect an IoC, the more potential damage that can take place.
15
Q
What is the purpose of an incident category?
A
To ensure that all response team members and other organizational personnel have a shared understanding of the meaning of terms, concepts, and descriptions.
16
Q
What does effective incident analysis depend on?
A
Threat intelligence; insight into adversary tactics, techniques, and procedures (TTPs).
17
Q
Define a ‘cyber kill chain’
A
describes the stages by which a threat actor progresses to a network intrusion.
18
Q
Define the first step (Reconnaissance) in the cyber kill chain
A
Mapping an attack surface and identifying potential attack vectors using network probes, Open Source Intelligence (OSINT), and social engineering.
19
Q
Define the second step (weaponization) in the cyber kill chain
A
Coding an exploit to take advantage of a vulnerability discovered through reconnaissance coupled with a payload to deliver the exploit and maintain covert access.
20
Q
Define the third step (Delivery) in the cyber kill chain
A
Weaponized code is inserted into the environment using a selected attack vector.
21
Q
Define the fourth step (exploitation) in the cyber kill chain
A
Weaponized code is executed on the target system and gains the capability to deliver the payload.
22
Q
Define the firth step (installation) in the cyber kill chain
A
Payload is successfully installed on the target system using methods to remain undetected and achieve persistence.
23
Q
Define the sixth step (Command and Control) in the cyber kill chain
A
The payload establishes a connection to a remote server, enabling the attacker to connect to the target and download or fabricate additional attack tools.
24
Q
Define the seventh step (Action on Objectives) in the cyber kill chain
A
Adversary uses the compromised system to achieve or progress towards goals, such as data exfiltration, DoS/vandalism, or escalating access.
25
Define a 'playbook'
A checklist of actions to perform to detect and respond to a specific type of incident.
26
What is best practice when planning for different attack types?
Develop a playbook, or standard operating procedure (SOP) to assist analysts in detecting and responding to specific cyber threat scenarios.
27
Define the fourth step (containment) of the CompTIA incident response lifecycle
Isolating affected hosts/accounts; Limit the scope and magnitude of the incident; Secure data while limiting the immediate impact on customers and business partners.
28
When at the 4th step (containment) of CompTIA's incident response lifecycle, what should be considered in regards to the time it will take to implement containment?
What damage or theft has occurred already? How much more could be inflicted and in what sort of time frame.
29
How could containment inadvertently be a negative approach?
What actions could alert the threat actor that the attack has been detected? What evidence of the attack must be gathered and preserved?
30
What are two forms of containment?
1. Isolation-Based Containment
2. Segmentation-Based Containment
31
Define 'Isolation-Based Containment'
Isolation involves removing an affected component from whatever larger environment it is a part of; Removes any interface between the affected system and the production network or the Internet; Disabling a user account or service.
32
If a single host is infected, what are simple ways to isolate it?
Disconnect networking cables from the host or disabling the switch port.
33
What is the downside to pulling the plug from an infected system?
Least stealthy option and will reduce opportunities to analyze the attack or malware.
34
Define a 'sinkhole'
Honeynet; DoS attack mitigation strategy that directs the traffic that is flooding a target IP address to a different network for analysis.
35
Define 'Segmentation-Based Containment'
A means of achieving the isolation of a host or group of hosts using network technologies and architecture.
36
How can different layer 2/3 technologies be used to perform isolation?
Reconfiguring routing/firewall infrastructure to isolate infected VLANs and subnets.
37
Define the fifth step (eradication) of the CompTIA incident response lifecycle
Removes the cause of compromise and restores the affected system by applying secure configurations and/or installing patches once the incident has been contained.
38
Define the sixth step (recovery) of the CompTIA incident response lifecycle
Process in which hosts, networks, and systems are brought back to a secure baseline configuration and ensuring that the system cannot be compromised through the same attack vector.
39
What are the 3 steps of eradication and recovery efforts?
1. Reconstitution of affected system
2. Re-audit security controls
3. Notify affected parties
40
Define 'Reconstitution of affected system'
Removing malicious files or tools from affected systems or restoring systems from secure backups/images.
41
Define 'Re-audit security controls'
By ensuring no vulnerability to the same attack or from a new attack that could be launched through information gained from the initial attack; Changing cipher suites, a new system/OS, new cryptographic keys.
42
Why is it important to notify affected parties after reconstitution of affected system and re-audit of security controls?
To provide the means to remediate their own systems/accounts.
43
Define the seventh step (lessons learned) of the CompTIA incident response lifecycle
Analyzes the incident and responses to identify whether procedures or systems could be improved.
44
Define a 'lessons learned report (LLR)' or 'after-action report (AAR)'
An analysis of events that can provide insight into how to improve response and support processes in the future.
45
What should be included in a lessons learned report (LLR)?
A root cause analysis.
46
Define 'root cause analysis'
A technique used to determine the true cause of the incident, and when removed, it prevents the problem from occurring again.
47
Define a 'tabletop exercise'
A facilitator presents a scenario, and the responders explain what action they would take to identify, contain, and eradicate the threat.
48
Define a 'walkthrough exercise'
A facilitator presents the scenario similar to a tabletop exercise, but the incident responders demonstrate what actions they would take in response.
49
What separates a walkthrough from a tabletop exercise?
Running scans and analyzing sample files, typically on sandboxed versions of the company's actual response and recovery tools.
50
Define 'Threat hunting'
Insights gained from threat intelligence to proactively discover whether there is evidence of TTPs already present within the network or system.
51
Define 'Intelligence fusion'
Using sources of threat intelligence data to automate detection of adversary IoCs and TTPs.
52
What can intelligence fusion be implemented with?
In a security information and event management (SIEM).
53
Define a 'maneuver' in threat hunting
Blinding attack/distraction; The concept that threat actor and defender may use deception or counterattacking strategies to gain positional advantage.
54
Define 'Digital forensic analysis'
Examining evidence gathered from computer systems and networks to a standard that will be accepted in a court of law; Deleted files, timestamps, user activity, and unauthorized traffic.
55
How is digital evidence similar to DNA or fingerprints?
They are all latent; the evidence cannot be seen with the naked eye; It must be interpreted using a machine or process.
56
Because digital evidence is latent, what must be considered when using the evidence in procecution?
Steps must be taken to ensure the admissibility of digital evidence; Requires documentation showing how the evidence was collected and analyzed without tampering or bias.
57
Define a 'legal hold'
A process designed to preserve all relevant information when litigation is reasonably expected to occur.
58
Define 'Acquisition' in a legal sense
Process of obtaining a forensically clean copy of data from a device seized as evidence.
59
Define 'Data acquisition'
Tools used to create a forensically clean copy of data from a source device.
60
During the acquisition process, what is best practice when making images of volatile and nonvolatile storage?
To capture evidence in the order of volatility, from more volatile to less volatile.
61
What is the best practice order for data acquisition?
1. CPU registers and cache memory
2. RAM and other nonpersistent memory
3. HDDs, SSDs, flash memory
4. Remote logging and monitoring data
5. Physical configuration and network topology
6. Archival media and printed documents
62
Define volatile memory
Data is lost when power is removed.
63
Define a 'dump'
A file containing data captured from system memory.
64
Define a 'system memory dump'
An image file of running processes; Temporary files, registry data, network connections, cryptographic keys, etc.
65
Define 'disk image acquisition'
Acquiring data from nonvolatile storage; HDDs, SSDs, flash memory, optical media (CD/DVD).
66
What are the 3 types of device states for disk image acquisistion?
1. Live acquisition
2. Static acquisition by shutting down the host
3. Static acquisition by pulling the plug
67
Define 'Live acquisition'
Copying the data while the host is still running.
68
What is the upside to live acquisition?
Captures more evidence/data for analysis and reduces the impact on overall services.
69
What is the downside to live acquisition?
The data on the actual disks will have changed, so this method may not produce legally acceptable evidence; May also alert the bad actor and allow time to perform anti-forensics.
70
What is the drawback of static acquisition by shutting down the host?
Runs the risk that the malware will detect the shutdown process and perform anti-forensics to try to remove traces of itself.
71
What is the benefit and disadvantage of static acquisition by pulling the plug?
Most likely to preserve the storage devices in a forensically clean state, but there is the risk of corrupting data.
72
What is paramount when performing any sequence of acquisition?
To document the steps taken and supply a timeline and video-recorded evidence of actions taken to acquire the evidence.
73
What is the ''dd command'' in Linux and its function?
Linux command that makes a bit-by-bit copy of an input file, typically used for disk imaging.
74
What is the syntax for the dd command to image a disk?
dd if=*input file* of=*output file*
75
What is the value of a video verified
timeline in digital forensics?
Establishes the provenance; Being able to trace the source of evidence to a crime scene and show that it has not been tampered with.
76
When creating a forensically sound image from nonvolatile storage, what is to be considered when choosing the capture tool?
Capture tool must not alter data or metadata (properties) on the source disk or file system.
77
Where is data acquisition typically performed?
By attaching the target device to a forensics workstation or field capture device equipped with a write blocker.
78
Define a 'write blocker' and its purpose
A forensic tool to prevent the capture tool or analysis device from changing data on a target disk or media.
79
What is the first step in data acquisition?
A cryptographic hash of the disk media is made, using either the MD5 or SHA hashing function.
80
What is the second step in data acquisition?
A bit-by-bit copy of the media is made using an imaging utility.
81
What is the third step in data acquisition?
A second hash is then made of the image, which should match the original hash of the media.
82
What is the fourth step in data acquisition?
A copy is made of the reference image, validated again by the checksum. Analysis is performed on the copy.
83
Define 'Chain of custody'
Record of handling evidence from collection to presentation in court to disposal.
84
What is the reason for documenting chain of custody when security breaches go to trial?
Establishes the integrity and proper handling of evidence; Protects an organization against accusations that evidence has either been tampered with.
85
Define 'E-discovery'
Filtering relevant evidence produced from all the data gathered in a forensic examination and storing it in a database in a format such that it can be used as evidence in a trial.
86
What is an IoC that reveals the presence of a hidden partition?
Unused space in an extended partition.
87
What is a file system metadata structure that is used to store and organize file object information, such as file size, owner, permissions, and timestamps?
inode
88
Define a 'data source' in context of digital forensics
Something that can be subjected to analysis to discover indicators.
89
What are typical data sources?
Log files from a network device, host/OS, application, system memory, etc.
90
What two ways can a SIEM platform be used for automated reporting?
1. Alerts/Alarms to detect the presence of an IoC
2. Status reports
91
Define 'metadata'
Information stored or recorded as a property of an object, state of a system, or transaction.
92
What are the 3 components of a syslog message?
1. PRI code
2. Header
3. Message
93
Define the PRI code of a syslog message
Calculated from the facility and a severity level.
94
Define the header of a syslog message
Contains a timestamp, host name, app name, process ID, and message ID fields.
95
Define the the message of a syslog alert
Contains a tag showing the source process plus content.
96
What do security logs typically contain?
Audit events, such as a failed login or access to a file being denied.
97
Define an 'endpoint log'
A target for security-related events generated by host-based malware and intrusion detection agents.`
98
Define an 'email's internet header'
A record of the email servers involved in transferring an email message from a sender to a recipient.
99
How can metadata play a role in analysis of an incident?
Establish timeline questions, such as when and where a breach occurred, as well as containing other types of evidence.
100
Where can email metadata such as an email header be viewed?
Via commands on a mail client or from a message transfer agent (MTA).
101
Define the function of a security information and event management (SIEM)?
Provides real-time or near-real-time analysis of security alerts generated by network hardware and applications.
102
What are the 3 forms of collection that a security information and event management (SIEM) can utilize?
1. Agent-based
2. Listener/Collector
3. Sensor
103
Define a 'Listener/Collector'
A network appliance that gathers or receives log and/or state data from other network systems.
104
Define 'log aggregation'
Parsing information from multiple data sources so that it can be presented in a consistent and searchable format.
105
Define 'correlation'
A function of log analysis that links log and state data to identify a pattern that should be logged or alerted as an event.
106
Define an 'executive report' and its purpose
High-level summary for decision-makers. This guides planning and investment activity.
107
Define a 'manager report' and its purpose
Provides cybersecurity and department leaders with detailed information. This guides day-to-day operational decision-making.
108
Define 'alert tuning'
Process of adjusting detection and correlation rules to reduce incidence of false positives and low-priority alerts.
109
How can a rule/alert level be adjusted to correct false positives?
Adjust the parameter of the rules, adding more correlation factors, setting to log only/no alert, or to produce a notification for x amount of events.
110
In order to alleviate the number of alerts at an analyst's dashboard, what can be done to reduce alerts?
By redirecting alerts to a different group based on the type of alert.
111
How can AI help develop alerting?
Deploying machine learning (ML) to rapidly analyze the sort of data sets produced by SIEM and how analysts respond to alerts and tuning the ruleset in a way that reduces alert.
112
Define a 'network monitor'
Auditing software that collects status and configuration information from network devices typically based on SNMP.
113
Define the difference between a 'flow collector' and a network monitor
Records metadata and network traffic statistics rather than recording each frame for analysis.
114
What is the purpose of a flow collector?
Highlight patters in traffic; Alert based on anomalies, flow patterns or custom rules; Visualization of network.
115
How does a flow collector define a specific traffic flow?
By packets sharing the same characteristics, referred to as keys.
116
What is a collection of keys identifying a traffic flow called?
A flow label.
117
If traffic matches a key/flow label, what is it called?
A flow record.
118
What is a flow label made up of?
Packets that share the same key characteristics, such as IP source and destination addresses and protocol type; Also known as a 5-tuple.
119
Define a 'system monitor'
Software that tracks the health of a computer's subsystems using metrics reported by system hardware or sensors; high temperature, chassis intrusion, and so on.
120
What protocol does a vulnerability scanner use to determine if a host/app/service meets security best practice?
Security Content Automation Protocol (SCAP) allows compatible scanners to determine whether a computer meets a configuration baseline.
121
What two tools does the Security Content Automation Protocol (SCAP) use to determine if a computer meets baseline?
1. Open Vulnerability and Assessment Language (OVAL)
2. Extensible Configuration Checklist Description Format (XCCDF)
122
What is the difference between a sensor and a collector, in the context of SIEM?
A SIEM collector receives log data from a remote host and parses it into a standard format that can be recorded within the SIEM; A sensor (or sniffer) copies data frames from the network, using a mirror port or a TAP.
123
Which type of analysis involves deep-down, frame-by-frame scrutiny of captured network traffic to decode packet header fields and payload contents, aiding in identifying attack tools, data exfiltration attempts, and suspicious domains?
Retrospective network analysis (RNA)
124
Define 'Retrospective network analysis'
Recording the totality of network events at a packet header or payload level.
125
What is the purpose of retrospective network analysis?
Detailed analysis of captured traffic to identify attack tools, data exfiltration attempts, and suspicious domains.
