Lesson 17 Incident Response

Question 1

Incident Response Cycle
PICERL
-will be on test, usually describes scenario and asks what is next step

Answer 1

Note: Can have overlaps in steps

Prep
- have tools and training up to date and ready for use

Identify

• Detection and Analysis (it happened and what happened)
• we have a virus and which virus
• notify stakeholders

Containment
-isolation while limiting immediate impact on customer

Eradication

• Removal and destruction
• Restore to a secure state, apply secure config settings and patches
• Notify stakeholders for remediation

Recovery

• Recover data, bring systems back online
• Go back to Identify, may have not fully recovered

Post-Incident

• lessons learned, documentation
• improve Prep stage, go back to prep stage

Question 2

Incident Response Plan

Answer 2

List of procedures, contacts, and resources available to responders
Playbooks (or run books) is a data driven standard operating procedure (SOP) to assist in detecting and responding to cyberthreat scenarios

Incident categorization

Prioritization factors

Important to have:
- Minimize Panic
Important to practice:
- provides training and familiarity of plan

Question 3

Cyber Kill Chain Attack Framework
or
Steps of Attack / Framework
will be on test

Answer 3

Steps of Attack / Framework
Reconnaissance / Research
Weaponization / Build your attack and tools
Delivery / get into; Component Access
Exploitation / Breach Security or Activation 
Installation / Persistence - how to stay
Cmd & Control / Reach back to Attacker
Actions on Objectives / The Attack

Question 4

Other Attack Frameworks

Answer 4

MITRE ATT&CK

• Database of TTPs
• Tactic categories
• No explicit sequencing

Diamond Model of Intrusion
- Framework for describing adversary capability and infrastructure plus effect on victim

Question 5

Incident Response Exercises

Answer 5

Table Top

• Facilitator presents a scenario and then discuss the action to take to identify contain and eradicate the threat
• no actions on live system

Walkthroughs
- Responders demonstrate response actions via running scans and analyzing sample files using a sandbox

Simulators

• Red team performs simulated intrusion
• Blue team operates response and recovery controls
• White team moderates and evaluates

Question 6

Disaster recovery plan

Answer 6

A plan used to survive and recover from a disaster level event

Question 7

Business Continuity Plan

Answer 7

A plan outlining mission critical business functions and seeks to provide redundancy for them

Question 8

COOP

Answer 8

Continuity of Operation Planning (COOP) used for government facilities similar to BCP

Can mean specifically to backup methods of performing mission functions without IT support

Question 9

Incident Identification

Answer 9

linking events together to know there has been or may be a pending incident

Possible event precursors:
-Establish a baseline though log files, error messages, IDS alerts, firewall alerts

• Compare deviations to established metrics to recognize their scopes
• Manual and physical inspections of site, premises, networks, and hosts
• Notifications from users, customers, suppliers
• Public reporting of vulnerabilities or threats by system vendors, regulator, the media

Question 10

Out-of-band communication

Answer 10

Use as to not alert an attacker the attack has been detected.

Also allows for a means of communication should the attack be on a form a communication, such as VoIP, email, etc.

Question 11

SIEM Correlation

Answer 11

Security Information and event management (SIEM) can run correlation rules on indicators extracted from data sources to detect events requiring investigation as potential incidents

Question 12

Correlation

Answer 12

to interpret the relationship between individual data points to diagnose incidents of significance to the security team

A SIEM can use logical expressions to make correlations and can be connected to threat database feed to make better correlations to current events on the system

Question 13

Retention

Answer 13

Keeping data for a defined period of time

A SIEM can enact a retention policy for historical log and network traffic data to be kept for a period of time

Allows for retrospective incident and threat hunting as well as for forensic evidence

Question 14

Trend Analysis

Answer 14

process of detecting patterns or indicators within a data set over a time series and using these patterns to predict future events

SW must aid in this activity due to the sheer amount of data available

Can apply to frequency, volume, or statistical deviation

Frequency establishes a baseline for a metric

Volume can apply to logs, network traffic, or increased disk use or reduced disk space on the endpoint hosts - all indicators which should raise suspicion

Statistical deviation can show where a data point should be treated as suspicion

Question 15

Syslog

Answer 15

provides an open format, protocol, and server sw for logging event messages

contains:

• a PRI code
• header with timestamp and hostname
• a message part with tag of src process plus content

usually uses UDP port 514

Question 16

Rsyslog

Answer 16

an updated Syslog with same file syntax but can work over TCP and use a secure connection

more customizable message handling due to more types of filter expressions in the config file

Question 17

Syslog-ng

Answer 17

uses a different configuration file than syslog but can use TCP/secure communications and more advanced options for message filtering

Question 18

journald and journalctl

Answer 18

Linux systems use systemd to initialize the system and to start/manage background services.

logs from systemd managed processes are binary files called journald

use journalctl to read the binary log files

Question 19

NXlog

Answer 19

an open-source log normalization tool

Used to collect Windows logs, which are XML formatted, and then normalize these logs into a syslog format

Question 20

5 main Categories of Windows event logs

Answer 20

Application
- events generated by applications and services, such as when a service cannot start

Security
- audit events, like failed logon or access to a file being denied

System
- events generated by the OS and its services such as storage volume health checks

Setup
- event generated during installation of Windows

Forwarded events
- events sent to the local log from other hosts

Question 21

Network logs

Answer 21

Generated from network devices such as routers, firewalls, switches and access points

Records

• operation and status of the appliance
• traffic and access logs for network behavior

examples
host trying to use a port which is blocked by the firewall
endpoint trying t ouse multiple MAC addresses when connected to a switch

Question 22

Authentication Logs

Answer 22

inspect security logs for authentication attempts for each host

inspect logs from server authorizing logons such as those from RADIUS, TACACS+ servers or Windows Active Directory (AD)

Question 23

Vulnerability Scan Output

Answer 23

The scan produces a report and should be analyzed to identify vulnerabilities which have not been patched or config weaknesses which have not been addressed

Used by a scan engine to produce a log or alert entry when the report contains a vulnerability

Question 24

Application Logs

Answer 24

can write to the Event Viewer or syslog or to any application directory selected by the developer

Question 25

DNS Event Logs

Answer 25

Can provide useful security info: - types of queries a host made to DNS - host contacting suspicious IP address ranges or domains - large number of failed DNS lookups, pointing to computers which are infected with malware, misconfigured, or running obsolete or faulty applications

Question 26

Web/HTTP Access logs

Answer 26

Inspect for codes where in the 400s are client-based errors and 500s are server based repeated 403 is forbidden indicating unauthorized user a 502 (bad gateway) indicating target server and an upstream server communications is blocked or a server is down Also can inspect HTTP header info to get a sense of the type of request being made, cookie info, MIME types, and User-Agent field (who made the request) User Agent can be misleading

Question 27

VoIP and SIP traffic

Answer 27

VoIP uses Session Initiation Protocol (SIP) to identify endpoints to setup the call and uses Real Time Protocol (RTP) to make the call transfer uses a call manager as a gateway to connecting the endpoints SIP produces logs similar to SMTP is a common log format - identifies endpoints, type of connection, and status messaging - inspection of this log can identify Man in the Middle attacks if an unauthorized proxy is being connected to Call manager access log can reveal suspicious connections

Question 28

System memory dump

Answer 28

can identify - running processes - contents of temp files - registry data - network connections - cryptographic keys - means of accessing encrypted data

Question 29

Meta data for file web email mobile

Answer 29

File metadata is attributes: creation, access, modified times, permissions, hidden or system type file, the ACL Web metadata is returned resource header settings, type of data returned Email internet header has many attributes such as sender, receiver address info, message transfer agent (MTA) has lots of info including results of spam checking. Use a tool to view as plain text can be difficult Mobile metadata contains call detail records (CDR), SMS text times, and the opposite party's number as well as data transfer volume. - can use cell tower information to track location history - CDRs saved by mobile operator for ~18 mos - might need consent from a BYOD

Question 30

Protocol Analyzer Output

Answer 30

Used by a SIEM which correlates an event or alert summary to the underlying packet information - Can help reveal the tools used in an attack - Can possibly extract binary files such as potential malware for analysis

Question 31

Network Flow collectors

Answer 31

A flow collector records the metadata and stats about network traffic rather than recording each frame These tools can - highlight trends and patterns in traffic from applications, hosts, and ports - alerts on detection of anomalies, pattern analysis, custom triggers - create a map of network connection to help interpret patterns of traffic and flow data - identify rogue user behavior, malware transit, tunneling, applications exceeding allocated bandwidth based on traffic patterns - identify malware attempts to contact a handler or command control channels

Question 32

Netflow tools NetFlow/IPFIX and sFlow

Answer 32

NetFlow has been redeveloped to IP flow information Export (IPFIX) - Cisco developed means of reporting network flow information to a structured database - several NetFlow monitoring tools are available - open source tools nfdump/nfsen sFlow developed by HP and is a web standard which samples network traffic to measure traffic statistics at any layer of the OSI model for a wider range of IPs than the IP based NetFlow - Can capture the entire packet header for samples

Question 33

Bandwidth Monitor

Answer 33

Can be reported by flow collectors High bandwidth indicate data exfiltration Can also be used on Firewalls and Secure Web Gateways

Question 34

Isolation Based Containment

Answer 34

Involves removing an affected component from the larger environment - remove a sever from network - put app into a sandbox - air gapping or disabling the switch port - Black hole - could disable a users account or application service

Question 35

Segmentation Based Containment