reflection 4

profiletamerrabee3
sy0-601-17v1.0.pptx

Performing Incident Response

Lesson 17

1

Summarize Incident Response Procedures

Topic 17A

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

2

2

4.2 Summarize the importance of policies, processes, and procedures for incident response

Syllabus Objectives Covered

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

3

Incident Response Process

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

4

Cyber Incident Response Team

Reporting, categorizing, and prioritizing (triage)

CIRT/CERT/CSIRT/SOC

Management/decision-making authority

Incident analysts

24/7 availability

Roles beyond technical response

Legal

Human Resources (HR)

Marketing

Image credit: John Mattern/Feature Photo Service for IBM.

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

5

Communication Plan and Stakeholder Management

Prevent inadvertent disclosure

Call list identifying trusted parties

Communication plan

Share data on a need to know basis

Out-of-band communications—avoid alerting intruder

Stakeholder management

Communication with internal and external stakeholders

Notification and reporting

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

6

Lists the procedures, contacts, and resources available to responders for various incident categories

Playbooks and runbooks

Incident categorization

Prioritization factors

Data integrity

Downtime

Economic/publicity

Scope

Detection time

Recovery time

Incident Response Plan

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

7

Cyber Kill Chain Attack Framework

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

8

Other Attack Frameworks

MITRE ATT&CK

Database of TTPs

Tactic categories

No explicit sequencing

The Diamond Model of Intrusion Analysis

Framework for describing adversary capability and infrastructure plus effect on victim

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

9

Image: Released to public domain by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz (activeresponse.org/wp-content/uploads/2013/07/diamond.pdf.)

Incident Response Exercises

Tabletop

Facilitator presents a scenario

Does not involve live systems

Walkthroughs

Responders demonstrate response actions

Simulations

Red team performs a simulated intrusion

Image © 2017 Kentucky National Guard.

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

10

Incident Response, Disaster Recovery, and Retention Policy

Incident response versus disaster recovery and business continuity

Disaster recovery plan

Response and recovery planning for major incidents

Business continuity plan

Making business procedures resilient

Continuity of operation planning (COOP)

Incident response, forensics, and retention policy

Digital forensics requirements

Retention policies for evidence preservation

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

11

11

Incident Response Procedures

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

12

Review Activity

Utilize Appropriate Data Sources for Incident Response

Topic 17B

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

13

13

4.3 Given an incident, utilize appropriate data sources to support an investigation

Syllabus Objectives Covered

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

14

Incident Identification

Precursors and detection channels

Security mechanisms (IDS, log analysis, alerts)

Manual inspections

Notification procedures

Public reporting

Confidential reporting/whistleblowing

First responder

Member of CIRT taking charge of a reported incident

Analysis and incident identification

Classify and prioritize

Downgrade low priority alerts to log-only

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

15

Correlation

Static rules and logical expressions

Threat intelligence feeds

AI-assisted analysis

Retention

Preserve evidence of attack

Facilitate threat hunting and retrospective incident identification

Security and Information Event Management

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

16

SIEM Dashboards

Analyst dashboard

Console of alerts that require prioritization and investigation

Manager dashboard

Overall status indicators

Sensitivity and alerts

Log only/alert/alarm

Sensors

Source for network traffic data

Aggregate data under one dashboard

Per-sensor dashboards

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

17

Screenshot courtesy of Security Onion (securityonion.net.)

Detecting indicators over a time series

Prediction of future events

Visualization

Frequency-based

Number of events per period

Volume-based

Increasing or decreasing size

Statistical deviation

Identify anomalous data points

Trend Analysis

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

18

Syslog

Logging format, protocol, and server (daemon) software

PRI – facility and severity

Timestamp

Host

Message part

Rsyslog and syslog-ng

journalctl

Binary logging

Nxlog

Log normalization tool

Logging Platforms

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

19

19

Network, OS, and Security Log Files

System and security logs

Application

Security/audit

System

Setup

Forwarded events

Network logs

Traffic and access data from network appliances

Authentication logs

Security log or RADIUS/TACACS+ application logs

Vulnerability scan output

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

20

20

Application Log Files

DNS event logs

Types of queries made by clients

Hosts using suspicious IP address ranges or domains

Statistical anomalies

Web/HTTP access logs

HTTP status codes

HTTP headers

VoIP and call managers and Session Initiation Protocol (SIP) traffic

Log endpoint connections

Type of connection

Via headers

Dump files

Data from system memory

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

21

21

File

Date/time and security attributes

Extended attributes and properties

Web

Request and response headers

Email

Internet header listing message transfer agents

Spam/security analysis

Mobile

Call detail records (CDRs)

Metadata

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

22

Network Data Sources

Protocol analyzer output

Pivot from alert event to per-packet or frame analysis

Extract binary data

Netflow/IPFIX

Records traffic statistics

Flows defined by endpoints and ports (keys)

Netflow exporters and collectors

sFlow

Uses sampling to estimate statistics

Bandwidth monitor

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

23

Appropriate Data Sources for Incident Response

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

24

Review Activity

Assisted Lab

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

Managing Data Sources for Incident Response

25

Lab Activity

Apply Mitigation Controls

Topic 17C

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

26

26

1.2 Given a scenario, analyze potential indicators to determine the type of attack

4.4 Given an incident, apply mitigation techniques or controls to secure an environment

Syllabus Objectives Covered

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

27

27

Containment Phase

Response must satisfy different or competing objectives

What is the loss or potential for loss?

What countermeasures are available?

What evidence can be collected?

Isolation-based containment

Remove the affected system

Disconnect hosts from power

Prevent hosts communicating on network

Disable user accounts or applications

Segmentation-based containment

Use sinkhole or sandbox to analyze attack

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

28

Eradication of attack tools and access methods

Recovery of systems to restore the operation of business workflows

Reconstitution of affected systems

Re-audit security controls – what could have prevented the intrusion?

Notification and third-party impacts

Incident Eradication and Recovery

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

29

Analyze attack to determine vector

Reduce attack surface through configuration changes

New security control

Update existing control configuration

Egress filtering for firewall rules

Detection of other covert channels

Firewall Configuration Changes

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

30

Content Filter Configuration Changes

Secure web gateway for egress filtering

Update URL/content filtering using threat data

Data loss prevention (DLP)

Identify whether DLP mechanisms were circumvented

Mobile device management (MDM)

Identify whether MDM mechanisms were circumvented

Update or revoke certificates

Remove compromised root certificates from trust stores

Revoke certificates on compromised hosts

Re-key certificate

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

31

Re-assess attack surface and attack vectors

Social engineering

Vulnerabilities

Lack of security controls

Configuration drift

Weak configuration

Application allow lists/block lists

Change to least privilege

Identify failure of controls to prevent execution

Quarantine

Isolate suspect systems for analysis in sandbox

Endpoint Configuration Changes

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

32

Security Orchestration, Automation, and Response

Automation versus orchestration

Security orchestration, automation, and response (SOAR)

Incident response

Threat hunting

Integrates SDN/SDV APIs, orchestration tools, and cyber-threat intelligence (CTI) feeds

AI-assisted user and entity behavior analytics (UEBA)

Runbooks versus playbooks

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

33

Adversarial Artificial Intelligence

Machine learning relies on training data to develop analysis capability

Threat actor may be able to submit tainted samples

Adversarial AI

Security of machine learning algorithms

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

34

Mitigation Controls

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

35

Review Activity

Assisted Lab

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

Configuring Mitigation Controls

36

Lab Activity

Summary

Lesson 17

CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

37

37