reflection 4
Performing Incident Response
Lesson 17
1
Summarize Incident Response Procedures
Topic 17A
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
2
2
4.2 Summarize the importance of policies, processes, and procedures for incident response
Syllabus Objectives Covered
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
3
Incident Response Process
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
4
Cyber Incident Response Team
Reporting, categorizing, and prioritizing (triage)
CIRT/CERT/CSIRT/SOC
Management/decision-making authority
Incident analysts
24/7 availability
Roles beyond technical response
Legal
Human Resources (HR)
Marketing
Image credit: John Mattern/Feature Photo Service for IBM.
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
5
Communication Plan and Stakeholder Management
Prevent inadvertent disclosure
Call list identifying trusted parties
Communication plan
Share data on a need to know basis
Out-of-band communications—avoid alerting intruder
Stakeholder management
Communication with internal and external stakeholders
Notification and reporting
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
6
Lists the procedures, contacts, and resources available to responders for various incident categories
Playbooks and runbooks
Incident categorization
Prioritization factors
Data integrity
Downtime
Economic/publicity
Scope
Detection time
Recovery time
Incident Response Plan
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
7
Cyber Kill Chain Attack Framework
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
8
Other Attack Frameworks
MITRE ATT&CK
Database of TTPs
Tactic categories
No explicit sequencing
The Diamond Model of Intrusion Analysis
Framework for describing adversary capability and infrastructure plus effect on victim
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
9
Image: Released to public domain by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz (activeresponse.org/wp-content/uploads/2013/07/diamond.pdf.)
Incident Response Exercises
Tabletop
Facilitator presents a scenario
Does not involve live systems
Walkthroughs
Responders demonstrate response actions
Simulations
Red team performs a simulated intrusion
Image © 2017 Kentucky National Guard.
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
10
Incident Response, Disaster Recovery, and Retention Policy
Incident response versus disaster recovery and business continuity
Disaster recovery plan
Response and recovery planning for major incidents
Business continuity plan
Making business procedures resilient
Continuity of operation planning (COOP)
Incident response, forensics, and retention policy
Digital forensics requirements
Retention policies for evidence preservation
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
11
11
Incident Response Procedures
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
12
Review Activity
Utilize Appropriate Data Sources for Incident Response
Topic 17B
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
13
13
4.3 Given an incident, utilize appropriate data sources to support an investigation
Syllabus Objectives Covered
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
14
Incident Identification
Precursors and detection channels
Security mechanisms (IDS, log analysis, alerts)
Manual inspections
Notification procedures
Public reporting
Confidential reporting/whistleblowing
First responder
Member of CIRT taking charge of a reported incident
Analysis and incident identification
Classify and prioritize
Downgrade low priority alerts to log-only
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
15
Correlation
Static rules and logical expressions
Threat intelligence feeds
AI-assisted analysis
Retention
Preserve evidence of attack
Facilitate threat hunting and retrospective incident identification
Security and Information Event Management
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
16
SIEM Dashboards
Analyst dashboard
Console of alerts that require prioritization and investigation
Manager dashboard
Overall status indicators
Sensitivity and alerts
Log only/alert/alarm
Sensors
Source for network traffic data
Aggregate data under one dashboard
Per-sensor dashboards
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
17
Screenshot courtesy of Security Onion (securityonion.net.)
Detecting indicators over a time series
Prediction of future events
Visualization
Frequency-based
Number of events per period
Volume-based
Increasing or decreasing size
Statistical deviation
Identify anomalous data points
Trend Analysis
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
18
Syslog
Logging format, protocol, and server (daemon) software
PRI – facility and severity
Timestamp
Host
Message part
Rsyslog and syslog-ng
journalctl
Binary logging
Nxlog
Log normalization tool
Logging Platforms
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
19
19
Network, OS, and Security Log Files
System and security logs
Application
Security/audit
System
Setup
Forwarded events
Network logs
Traffic and access data from network appliances
Authentication logs
Security log or RADIUS/TACACS+ application logs
Vulnerability scan output
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
20
20
Application Log Files
DNS event logs
Types of queries made by clients
Hosts using suspicious IP address ranges or domains
Statistical anomalies
Web/HTTP access logs
HTTP status codes
HTTP headers
VoIP and call managers and Session Initiation Protocol (SIP) traffic
Log endpoint connections
Type of connection
Via headers
Dump files
Data from system memory
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
21
21
File
Date/time and security attributes
Extended attributes and properties
Web
Request and response headers
Internet header listing message transfer agents
Spam/security analysis
Mobile
Call detail records (CDRs)
Metadata
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
22
Network Data Sources
Protocol analyzer output
Pivot from alert event to per-packet or frame analysis
Extract binary data
Netflow/IPFIX
Records traffic statistics
Flows defined by endpoints and ports (keys)
Netflow exporters and collectors
sFlow
Uses sampling to estimate statistics
Bandwidth monitor
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
23
Appropriate Data Sources for Incident Response
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
24
Review Activity
Assisted Lab
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Managing Data Sources for Incident Response
25
Lab Activity
Apply Mitigation Controls
Topic 17C
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
26
26
1.2 Given a scenario, analyze potential indicators to determine the type of attack
4.4 Given an incident, apply mitigation techniques or controls to secure an environment
Syllabus Objectives Covered
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
27
27
Containment Phase
Response must satisfy different or competing objectives
What is the loss or potential for loss?
What countermeasures are available?
What evidence can be collected?
Isolation-based containment
Remove the affected system
Disconnect hosts from power
Prevent hosts communicating on network
Disable user accounts or applications
Segmentation-based containment
Use sinkhole or sandbox to analyze attack
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
28
Eradication of attack tools and access methods
Recovery of systems to restore the operation of business workflows
Reconstitution of affected systems
Re-audit security controls – what could have prevented the intrusion?
Notification and third-party impacts
Incident Eradication and Recovery
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
29
Analyze attack to determine vector
Reduce attack surface through configuration changes
New security control
Update existing control configuration
Egress filtering for firewall rules
Detection of other covert channels
Firewall Configuration Changes
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
30
Content Filter Configuration Changes
Secure web gateway for egress filtering
Update URL/content filtering using threat data
Data loss prevention (DLP)
Identify whether DLP mechanisms were circumvented
Mobile device management (MDM)
Identify whether MDM mechanisms were circumvented
Update or revoke certificates
Remove compromised root certificates from trust stores
Revoke certificates on compromised hosts
Re-key certificate
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
31
Re-assess attack surface and attack vectors
Social engineering
Vulnerabilities
Lack of security controls
Configuration drift
Weak configuration
Application allow lists/block lists
Change to least privilege
Identify failure of controls to prevent execution
Quarantine
Isolate suspect systems for analysis in sandbox
Endpoint Configuration Changes
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
32
Security Orchestration, Automation, and Response
Automation versus orchestration
Security orchestration, automation, and response (SOAR)
Incident response
Threat hunting
Integrates SDN/SDV APIs, orchestration tools, and cyber-threat intelligence (CTI) feeds
AI-assisted user and entity behavior analytics (UEBA)
Runbooks versus playbooks
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
33
Adversarial Artificial Intelligence
Machine learning relies on training data to develop analysis capability
Threat actor may be able to submit tainted samples
Adversarial AI
Security of machine learning algorithms
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
34
Mitigation Controls
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
35
Review Activity
Assisted Lab
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Configuring Mitigation Controls
36
Lab Activity
Summary
Lesson 17
CompTIA Security+ Lesson 17 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
37
37