Upgrade to remove ads
CySA+ Chapter 7: The Incident Response Process
Terms in this set (34)
Name the 9 key groups involved in IR
1. Technical staff or team,
3. Law enforcement,
6. Human Resources,
8. Marketing Department, and
9. Un-involved management
What is IR?
"IR," or "Incident Response," is the process of negating the effects of an incident on an information system.
Which NIST Special Publication describes the entire IR process?
NIST SP 800-61 revision 2.
The first step of IR is "Containment." What does this entail?
Once you know that a threat agent has compromised the security of your information systems, you first order of business is to keep things from getting worse. "Containment" is a set of actions that attempts to deny the threat agent the ability or means to cause further damage. The goal is to prevent or reduce the spread of this incident while you strive to eradicate it.
Containment should be based on the category of the attack (internal or external), the assets of the incident, and the criticality of those assets.
Containment approaches can be proactive or reactive. Which is best depends on the environment and the category of the attack. In some cases, the best action might be to disconnect the affected system from the network. However, this reactive approach could cause a DoS or limit functionality of critical systems.
Note: Remember that preserving evidence is an important part of containment.
Name the 4 ways discussed in the book in which we can contain an incident.
3. Removal, and
4. Reverse Engineering
How can you use segmentation to contain an incident?
You can segment your network by physically wiring separate networks or logically assigning devices to separate VLANs. In either case ,traffic between network segments must go through some sort of gateway device, which is often times a router with the appropriate ACLs. For example, the accounting division may have its own VLAN that prevents users in the R&D division from directly accessing the financial data servers. If certain R&D users had legitimate needs for such access, they would have to be added to the gateway device's ACL, which could place restrictions based on source/destination addresses, time of day, or even specific applications and data to be accessed.
With segmentation, compromises can be constrained to the network segment in which they started. To be clear, it is still possible to go from one segment to another, like in the case of the R&D users example. Some VLANs may also have vulnerabilities that could allow an attacker to jump from on to another without going through a gateway (VLAN Hopping).
How can we use isolation to contain an incident?
Through segmenting the network as part of its architectural design, we already saw that his can still allow an attacker to easily move between hosts on the same subnet. As part of the preparations for IR, it's helpful to establish an "Isolation VLAN," much like hospitals prepare isolation rooms before any patient actually needs them. The IR team would then have the ability to quickly move any compromised or suspicious host to this VLAN until they can be further analyzed. The isolation VLAN would have no connectivity to the rest of the network, which would prevent the spread of any malware.
This isolation would also prevent compromised hosts from communicating with external hosts such as Command-and-Control (C2) nodes. About the only downside to using an isolation VLAN is that some advanced malware can detect this situation and then take steps to eradicate itself from the infected hosts. Although this may sound wonderful from an IR perspective, it does hinder our ability to understand what happened and how the compromise was executed so that we can keep it from happening in the future.
While a host is in isolation, the response team is able to safely observe its behaviors to gain information about the nature of the incident. By monitoring its network traffic, we can discover external hosts (for example, C2 nodes and tool repositories) that may be part of the compromise. This allows us to contact other organizations and get help in shutting down whatever infrastructure that attackers are using.
We can also monitor the compromised host's running processes and file systems to see where the malware resides, and what it's trying to do on the live system. This all allows us to better understand the incident and how to best eradicate it. It also allows us to create "Indicators of Compromise (IOCs)" that we can then share with others such as CERT or an "Information Sharing and Analysis Center (ISAC)."
How can removal help contain an incident?
At some point in the IR process, you may have to remove compromised hosts from the network altogether. This can happen after isolation or immediately upon noticing the compromise, depending on the situation. Isolation is ideal if you have the means to study the behaviors and gain actionable intelligence, or if you are overwhelmed by a large number of potentially compromised hosts that need to be triaged.
Still, one way or another, some of the compromised hosts will come off the network permanently. When you remove a host from the network, you need to decide whether you will keep it powered on, shut it down and preserve it, or simply rebuild it. Ideally, the criteria for making this decision is already spelled out in the IR plan. Here are some of the factors to consider in this situation:
The removal process should always be well-documented in the IR plan so that the right issues are considered by the right people at the right time.
If you have to remove an infected device off the network. What 3 factors must you consider?
1) Threat intelligence value: A compromised computer can be a treasure trove of information about the tactics, techniques, procedures (TTPs), and tools of an adversary. If you have a threat intelligence capability in your org. and can gain new or valuable information from a compromised host, you may want to keep it running until its analysis is completed.
2) Crime scene evidence: Almost every international compromise of a computer system is a criminal act in many countries, including the US. Even if you don't plan to pursue a criminal or civil case against perpetrators, it's possible that future IR activities change your mind and would benefit from the evidentiary value of a removed host. If you have the resources, it may be worth your effort to make forensic images of the primary storage (for example, RAM) before you shut it down and of secondary image (for example, the file system), before or after you power it off.
3) Ability to restore: Keep as much of the removed host as possible. You don't want to remove a compromised computer that had critical business information that was not replicated or backed up anywhere else.
How can reverse engineering help contain an incident?
Though not technically a containment technique, "Reverse Engineering (RE)" can help contain an incident if the information gleaned from it helps identify other compromised hosts. RE is the detailed examination of a product to learn what it does and how it works. In the context of IR, RE relates exclusively to malware. The idea to analyze the binary code to find, for example, the IP addresses of the host/domain names it uses for C2 or the techniques it employs to achieve permanence in an infected host, or to identify a unique characteristic that could be used as a signature for the malware.
Generally speaking there are two approaches to reverse engineering malware. What are these two approaches and how do they work?
1) The first approach does not really know about what the binary is, but rather what the binary does. This is called "Dynamic Analysis," and it requires a sandbox in which to execute the malware. The sandbox is a virtual OS that has a file system, network interface, memory, and anything else malware asks for. Each request is carefully documented to establish a timeline of behavior that allows us to understand what it does. The main advantage of dynamic malware analysis is that it tends to be significantly faster and requires less expertise than the alternative (described next). It can be particularly help for code that has been heavily obfuscated by its authors. The biggest disadvantage is that it does not reveal all that malware does, but rather simply what it did during its execution in the sandbox. Some malware will actually check to see if it is being run in a sandbox before doing anything interesting. Additionally, some malware does not immediately do anything nefarious, waiting instead for a certain condition to be met (for example, a time bomb that only activates at a particular date and time.
2) The alternative is "Static Code Analysis." In this approach, a highly skilled analyst will either disassemble or decompile the binary code to translate its 1s and 0s into either assembly language or whichever higher-level language it was created in. This allows a reverse engineer to see all possible functions of the malware, not just the ones it exhibited during a limited run in a sandbox. It is then possible, for example, to see all the domains the malware would reach out to given the right conditions, as well as the various ways in which it would permanently insert itself into its host. This last insight allows the IR team to look for evidence that any of the other persistence mechanisms exist in other hosts that were not considered infected up to that point.
The second step in IR is eradication. What does this entail?
Once the incident is contained, we turn out attention to the "eradication" process, in which we return all systems to a known-good state. It's important to gather evidence before we recover systems because in many cases we won't know that we need legally-admissible evidence until days, weeks, or even months after an incident. It pays, then, to treat each incident as if it will eventually end up in court. Once all evidence is captured, we fix all that was broken. The aim is to restore full, trustworthy functionality, to the org. For hosts that were compromised, the best practice is to simply reinstall the system from a gold master image and then restore data from the most recent backup that occurred prior to the attack.
Name the 3 ways discussed in the book in which we can eradicate an incident.
2. Reconstruction, and
3. Secure disposal
How can sanitization help eradicate and incident?
According to NIST SP 800-88 Revision 1 (Guidelines for Media Sanitization), "sanitization" refers to the process by which access to data on a given medium is made infeasible for a given level of effort. What we call "Cursory Sanitization" can be accomplished by simply reformatting a drive. It may be sufficient against run-of-the-mill attackers who look for large groups of easy victims and don't put much effort into digging their hooks deeply into the victim. On the other hand, there are sophisticated attackers who may have deliberately targeted your org. and will go to great lengths to persist in your systems, or if repelled, compromise them again. This class of threat actor requires more advanced approaches to sanitization.
Name 4 methods of sanitization discusses in the book.
1) "Overwriting" data entails replacing the 1s and 0s that represent it on storage media with random or fixed patterns of 1s and 0s in order to render the original data unrecoverable. This should be done at least once (for example, overwriting the medium with 1s, 0s, or a pattern of these), but may have to be done more than that.
2) "Encryption:" Many mobile devices take this approach to quickly and securely render data unusable. The premise is that the data is stored on the medium in encrypted format using a strong key. IN order to render the data unrecoverable, all the system needs to do is securely delete the encryption key, which is many times faster than deleting the encrypted data. Recovering the data in this scenario is typically computationally infeasible.
3) "Degassing" is the process of removing or reducing the magnetic field patterns on conventional disk drives or tapes. In essence, a powerful magnetic force is applied to the media, which results in the wiping of the data and sometimes the destruction of the motors that drive the platters. Note that degaussing typically renders the drive unusable
4) "Physical destruction" is perhaps the best way to combat data remanence is to simply destroy the physical media. The two most commonly used approaches to destroying media are to shred them or expose them to caustic or corrosive chemicals. Another approach is incineration.
How can reconstruction help eradicate an incident?
Once a compromised host's media is sanitized, the nest step is to rebuild the host to its pristine state. The best approach to doing this it to ensure that you have created known-good, hardened images of the various standard configurations for shots on your network. These images are sometimes called "Gold Masters" and facilitate the process of rebuilding a compromised host. This reconstruction is significantly harder if you have to manually reinstall the OS, configure it so it's hardened, and then install the various applications and/or services that were in the original host. We don't know anybody who, having gone through this dreadful process once, doesn't invest time to build and maintain gold images thereafter.
Another aspect of reconstruction is the restoration of data to the host. Again, there is one best practice here, which is to ensure you have up-to-date backups of the system data files. This is also key for quickly and inexpensively dealing with ransomware incidents. Sadly, too many orgs, backups are the responsibility of individual users. If your org does not enforce centrally managed backups of all systems, then your only other hope is to ensure that data is maintained in a managed data store, such as a file server.
For proper reconstruction of systems, you need Gold Masters and Up-to-date backups. What are Gold Masters?
Gold Masters are images of system and their correct configuration settings.
How can secure disposal help eradicate an incident?
When you're disposing fo media or devices as a result of an IR, any of the 4 techniques covered earlier (overwriting, encryption, degaussing, or physical destruction) may work, depending on the device.
1) Overwriting is only feasible with regard to HDDs and might not be available for SSDs
2) Encryption-based purging can be found in multiple workstations, servers, and mobile OSs, but not in all
3) Degaussing only works on magnetic media, and some advanced magnetic drives use stronger fields to store data and may render older degaussers inadequate
4) In the end, the only way to securely dispose of these devices is by physically destroying them using an accredited process or service provider. This physical destruction involves the shredding, pulverizing, disintegration, or incineration of the device.
Validation is the third step in the IR process. What does this entail?
The "validation" process in IR is focused on ensuring that we have identified the corresponding attack vectors and implemented effective countermeasures against them. This stage presumes that we have analyzed the incident and verified the manner in which it was conducted. This analysis can be a separate post-mortem activity or can take place in parallel with the response.
Name the 4 methods of validation discussed in the book
3. Scanning, and
How can validating patching help in the IR process?
Many of the most damaging incidents are the result of an unpatched software flaw. Is it a known or unknown vulnerability (zero day). Many organizations rely on endpoint protection that is not centrally managed, particularly in a BYOD environment. This makes it possible that a user or device fails to DL and install an available patch, and this causes an incident.
If this is the case in your org., and you are unable to change the policy to required centralized patching, then you should also assume that some number of endpoints will fail to be patched and you should develop compensatory controls elsewhere in your security architecture. For example, by implementing NAC, you can test any device attempting to connect to the network for patching, updates, anti-malware, and any other policies you want to enforce. If the endpoints fail any of the checks, its placed in a quarantine network that may allow Internet access (particularly for downloading patches) but keeps the device from joining the organizational network and potentially spreading malware.
If, on the other hand, your org. uses centralized patching and updates, the vulnerability was known, and still it was successfully exploited, this points to a failure within whatever system or processes you are using for patching. Part of the response would then be to identify the failure, correct it, and then validate that the fix is effective at preventing a repeated incident in the future.
How can validating permissions help in the incident response process?
You need to validate permissions in an IR to find any elevated permissions that may have caused the incident. Some organizations give their users excessive permissions or even administrative permissions. And some administrators do all their work (including surfing the Web) on their admin account. Also, some organizations still forget to disable and delete admin accounts when they leave the organization. They're still active accounts! And sometimes, admins incorrectly assign permissions. Another thing to look out for are "privilege escalation" attacks
Conduct permissions reviews and user account reviews.
How can scanning help with validation?
By definition, every incident occurs because a threat actor exploits a vulnerability and compromises the security of an IS. It stands to reason, then, that after recovering from an Incident, you would want to scan your systems for other instances of that same (or related) vulnerability. Although it is true that we will never be able to protect against every vulnerability, it is also true that we have a responsibility to mitigate those that have been successfully exploited. This will prevent a recurrence of the exploitation.
How can monitoring help with monitoring?
So, you have successfully responded to the incident, implemented new controls, and ran updated vulnerability scans to ensure everything is on the up and up. These are all important preventative measures, but you still need to ensure you improve your ability to react to a return by the same (or similar) actor. Armed with the information on the adversary's TTPs, you now need to update your monitoring plan to better detect similar attacks.
We already mentioned the creation of IOCs in chapter 6 as part of isolation efforts in the containment phase of the response. Now you can leverage those IOCs by incorporating them into your network monitoring plan. Most organizations would add these indicators to rules in their IDS or IPS. You can also cast a wider net by providing IOCs to business partners or even competitors in your sector. This is where the organizations such as the US-CERT and the ISACs can be helpful in keeping large groups of organizations protected against known attacks.
Corrective actions is the fourth step in IR. What does this entail?
It is here that we apply the lessons learned and information gained from the process in order to improve our posture in the future.
Name the 4 methods of corrective actions discussed in the book.
1. Lessons-Learned Reports,
2. Change Control process,
3. Updating response plans, and
4. Summary Reports.
How can a lessons-learned report implement corrective actions?
Although there is no single best way to capture lessons learned, here is one that has served us well. The general approach is that every participant in the operation is encouraged or required to provide his observations in the following format:
1) Issue: a brief (usually single sentenced) label for an important (from the participant's perspective) issues that arose during the operation.
2) Discussion: A (usually paragraph long) description of what was observed and why it's important to remember or learn from it for the future.
3) Recommendation: Usually starts with a "sustain" or "improve" label if the contributor felt the team's response was effective or ineffective.
a) Every participant's input is collected and organized before the "After Action Review (ARR)." Usually all inputs are discussed during the review session.
How can the change control process implement corrective actions?
During the ARR, the teams will document recommendations for changes. These change requests will go to the Change Control Board (CCB).
How can updating your response plans implement corrective actions?
The IR plan should be reviewed, and if appropriate updated. If we can better prepare for future incidents
How can Summary reports implement corrective actions?
The post-incident report can be very short one-pager or a lengthy treatise; it all depends on the severity of the impact of the incident. Whatever the case, consider who will read the report and shape it in a way in which they can interpret it.
The book mentions two types of communication during the IR process. What are they?
1. "Internal Communications:" one key aspect of any IR response plan is the process by which the trusted internal parties will be kept abreast of and consulted about the response to an incident. It is not uncommon to designate a "war room" in which the key decision makers and stakeholders will meet to get a periodic update and make decisions.
2. "External Communications:" Communications outside of the org. must be carefully controlled. Sensible reports have a way of getting turned into misleading and potentially damaging sounds bites, so it's best to designate a trained professional for the role of handline external communications to government entities, customers, media, shareholders, collaborators, business partners, and investors.
What is the term for members of your organization who have a role in helping with some aspects of incident response?
You discover a major incident on your network. What is the most appropriate course of action regarding communication with organizational leadership?
Provide them updates on progress and estimated time of service restoration.
Your team has identified a strain of malware that took advantage of a bug in your mail server version to gain elevated privileges. Because you cannot be sure what else was affected on that server, you decide between updating the mail server software or reimaging the server's hard drive. What is the best course of action?
Generally, the most effective means of disposing of an infected systems is a complete re-imaging of a system's storage to ensure that any malicious content was removed and to prevent infection
THIS SET IS OFTEN IN FOLDERS WITH...
CySA+ Chapter 2: Analyzing the Results o…
CySA+ Chapter 11: Frameworks, Policies,…
CySA+ Chapter 15: Tool Sets
YOU MIGHT ALSO LIKE...
Intrusion Detection and Incident Response
cisa all october 2012
CISA Questions (601-700)
Practice test questions I missed
OTHER SETS BY THIS CREATOR
CySA+ Chapter 14: Secure Software Develo…
CySA+ Chapter 13: Compensating Controls
CySA+ Chapter 12: Identity and Access Management