Incident Response: Disaster Recovery Plan

Questions and Answers

What is the primary focus of a Business Continuity Plan (BCP)?

• To develop detailed guidance for information systems
• To keep an organization functioning during disruptions (correct)
• To respond to specific incidents like fires and floods
• To execute a full recovery to normal operations

Which of the following is NOT typically covered by a Disaster Recovery Plan?

• Incident-focused responses
• Retaining employee job functions during recovery (correct)
• Full recovery to normal operations
• Systematic testing of plans and procedures

What stage in the NIST 800-34 process involves identifying key assets for a business?

• Planning maintenance of the plan
• Developing a policy statement
• Conducting a business impact analysis (BIA) (correct)
• Creating contingency strategies

Which standard addresses business continuity management in the context of information security?

ISO 27001 (B)

What is a critical component of the Incident Response Plan (IRP)?

Addressing specific incidents thoroughly (B)

How often should the testing and training of the recovery plans typically be conducted?

Annually (A)

Which of the following is an element of the contingency planning guide provided by NIST?

Identifying preventative controls (D)

What does NFPA 1600 pertain to in the context of planning?

Standards on Disaster/Emergency Management and Business Continuity (A)

What is the highest score indicating a very easy exploitability of an attack?

10 (B)

Which rating indicates a critical vulnerability that should be addressed immediately?

40-50 (A)

During the detection phase of an incident response process, what is the main goal?

Determine affected systems (C)

How is the overall threat rating calculated?

Summing scores across five key areas (C)

What is the primary objective during the containment phase of incident response?

Limit the incident's impact (C)

Which score indicates that the vulnerability is hard to discover?

0 (D)

What is considered a low risk threat rating?

Low (1-10) (A)

What is a critical step in the eradication phase of incident response?

Patch vulnerabilities (D)

What is the primary purpose of a Business Impact Analysis (BIA)?

To contemplate likely disasters and their impact on the organization (C)

Which of the following must always be lower than the Maximum Tolerable Downtime (MTD)?

All of the above (D)

What is the difference between a differential backup and an incremental backup?

Differential backup includes all changes since the last full backup; incremental backup includes all changes since the last backup of any type. (D)

What does Recovery Point Objective (RPO) refer to?

The maximum amount of data loss an organization can tolerate (D)

Which of the following represents the highest level of damage potential according to the criteria provided?

10: Destruction of an information system; data or application unavailability (D)

How are vulnerabilities effectively described when discussing a computer incident?

Through the vulnerabilities that led to the incident (C)

Which backup type captures all changes since the last backup of any type?

Incremental backup (B)

Which component reflects the average time it takes to repair an item?

Mean Time to Repair (MTTR) (A)

What is the maximum amount of RAM that a 32-bit system can address?

4 GB (D)

Which files are essential during the boot process of a Windows system?

Min.drivers (B)

What does the Windows swap file help to augment?

Random Access Memory (A)

Which command would be used to identify currently loaded DLLs on a Windows machine?

ListDLLs (A)

What kind of data does Index.dat store?

Web addresses and search queries (D)

Which of the following is NOT one of the five Windows registry hives?

Internet (C)

What is a primary characteristic of volatile memory?

Requires constant power to retain data (B)

What term describes the file that stores items from memory temporarily on the hard disk in a Windows system?

pagefile.sys (A)

What is the primary purpose of capturing a memory dump in forensic analysis?

To analyze active processes and potential malware (A)

What do the properties of MAC in file systems refer to?

File modified, created, and accessed dates (A)

What technique is used to inject a malicious DLL into a legitimate process?

DLL Injection (B)

What is the purpose of the Pslist command in Volatility?

Listing running processes (C)

Which memory capturing tool offers a graphical interface?

RAM Capturer (B)

What does the term 'hollowed processes' refer to?

Legitimate processes that have been hijacked by malware (D)

Which of the following best describes the stack in computer memory?

Automatically managed memory for temporary variables (B)

What is the function of the Memory Address Register (MAR)?

Stores memory addresses to fetch data (C)

In Linux forensics, which command is essential for undeleting files?

extundelete (C)

Which term refers to the memory that is lost when the device is powered off?

Volatile memory (C)

Which command in Volatility is specifically used for identifying malware?

Malfind (C)

Which shell was originally the default shell for UNIX systems?

Bourne shell (sh) (D)

What are the three main sections of a network packet?

Header, Payload, Footer (A)

Which command is used to check the current configuration of a router?

Show running-config (A)

Why should a forensic investigator not shut down a router when gathering evidence?

It can erase valuable evidence (A)

Which protocol operates on port 25?

SMTP (A)

What type of data can TCP header synchronization bits provide?

Interesting forensic data (A)

Flashcards

Disaster Recovery Plan (DRP)

A plan to respond to events like fires, floods, or malware infections, to ensure business continuity and data recovery.

Business Continuity Plan (BCP)

A plan to maintain core business functions during disruptive events, aiming for sustained operation until full recovery.

Incident Response Plan (IRP)

A plan specifically for dealing with incidents, such as malware attacks or data breaches, focusing on mitigation and containment.

ISO 27001

A broad standard for information security management, including aspects of business continuity.

NIST 800-34

A contingency planning guide for information technology systems, providing a seven-step process for BCP and DRP development.

Business Impact Analysis (BIA)

A critical step to identify important organizational assets and assess their impact during a disruption, for effective contingency planning.

Contingency strategies

Backup plans and alternative methods to maintain business functionality when normal operations are jeopardized.

Information System Contingency Plan

A detailed plan for handling disruptions to information systems (IT), focusing on the recovery of IT systems.

Maximum Tolerable Downtime (MTD)

The longest a system or organization can be down before recovery is impossible.

Mean Time to Repair (MTTR)

Average time it takes to repair an item. Must be lower than MTD.

Recovery Time Objective (RTO)

Target time to return to normal business operations. Must be lower than MTD.

Recovery Point Objective (RPO)

Amount of data loss acceptable. Directly related to backups.

Full Backup

All changes in data are included in this type of backup.

Incremental Backup

Copies all the changes made since the last backup of any kind.

Damage Potential

Assessment of the possible impact an attack could have. (0-10 scale)

Exploitability

How easy it is for an attacker to use a vulnerability to launch an attack.

Affected Users

The number of people who could be impacted by a successful attack.

Discoverability

How easy it is to find a vulnerability in a system.

Overall Threat Rating

A combined score representing the overall risk posed by a vulnerability.

Incident Response Process

A structured approach to handling security incidents, including detection, containment, eradication, recovery, and follow-up.

Containment

The crucial step in incident response aimed at limiting the impact of a security breach.

Eradication

The process of completely eliminating a security threat from a system.

Recovery

Returning systems and operations back to normal after a security incident.

Network Packet

A small chunk of data sent across a network. It has three sections: header, payload, and footer.

Packet Header

The first part of a network packet that contains information about the packet, like its destination and source addresses, and the type of data it carries.

Router Forensics

Examining router configurations and logs to understand network activity and identify potential security incidents.

Capture Packets

Using specialized software to intercept and store network data packets for later analysis.

Analyze Packets

Examining captured network packets to identify patterns, unusual activity, or security threats.

32-bit processing

A type of computer architecture that can address up to 4,294,967,295 bytes of memory and is limited to 4 GB of RAM. It is commonly referred to as x86.

64-bit processing

A type of architecture that can address a much larger memory space, up to 18,446,744,073,709,551,616 bytes. It is commonly referred to as x64.

BIOS (Basic Input/Output System)

The firmware that initiates the boot process and controls basic hardware functions during startup. It performs the Power-On Self-Test (POST) and reads the Master Boot Record (MBR).

Master Boot Record (MBR)

A special sector on the hard drive that contains the boot loader and information about disk partitions. It helps the computer locate the operating system.

Boot Loader

A program that loads the operating system kernel into memory. It is responsible for switching between 32-bit and 64-bit processing modes.

Volatile Memory Analysis

A forensic technique used to examine the contents of computer memory. It involves collecting a memory dump, computing a hash for integrity, and analyzing the contents in an isolated environment.

Stack Memory

A region of memory used for storing local variables and function call information. It operates on a LIFO (Last-In, First-Out) principle.

Heap Memory

A region of memory where data can be allocated and deallocated dynamically. This means data can persist beyond function calls.

Windows Swap File (pagefile.sys)

A temporary file on the hard disk that acts as an extension of RAM. It stores data that is not currently being used by active programs, allowing for quick access when needed.

Windows Log Files

Files that record events and activities happening on a Windows system. They can be viewed using Event Viewer and provide valuable information for troubleshooting and security analysis.

DLL Injection

A malware technique that involves injecting a malicious DLL into a legitimate running process, often by modifying system registry keys to include the malicious DLL in the process's load order.

Process Hollowing

A technique where malware creates a process in a suspended state, then replaces its memory space with its own malicious code, effectively hijacking the legitimate process without crashing it.

Dumpit

A command-line tool used for capturing memory snapshots, saving them as .raw files, enabling forensic analysis of the memory state.

RAM Capturer

A tool with a graphical user interface for capturing memory, offering a more user-friendly approach compared to Dumpit.

Volatility

A free and powerful memory analysis tool that enables deep examination of captured memory images, providing insights into malware behavior, process activity, and system state.

Pslist

A Volatility command that lists all running processes within the captured memory image, providing information like process ID, name, and memory usage.

Hollowfind

A Volatility command specifically designed to identify processes that have been hollowed, allowing you to detect malware that has hijacked legitimate processes.

Moddump

A Volatility command used for dumping kernel driver information from the captured memory image, aiding in analyzing system level activities and potential malware presence.

Study Notes

Incident Response: Disaster Recovery Plan

• Disaster recovery plans are in place to respond to various events like fires, floods, hurricanes, tornadoes, hard drive failures, network outages, malware infections, data theft, or data deletion.
• Business Continuity Plans (BCP) aim to keep organizations functioning as optimally as possible until full recovery is achieved.
• Incident Response Plans (IRP) focus on handling specific incidents.
• Disaster Recovery Plans (DRP) concentrate on restoring normal operations to full functionality.

Federal Standards for BCPs

• ISO 27001: A broad standard for information security management systems, including business continuity management.
• NIST 800-34: A guide for contingency planning in information technology systems, outlining a seven-step process for BCP/DRP projects (policy statement, business impact analysis, preventative controls, contingency strategies).

Business Impact Analysis (BIA)

• BIA is a process where the disaster recovery team considers potential disasters and their impact on the organization.
• BIA identifies critical systems, priority of response, and maximum tolerable downtime (MTD).
• Maximum Tolerable Downtime (MTD) is the maximum amount of time a system or organization can be down before recovery is impossible.
• Mean Time To Repair (MTTR) is the average time to repair an item.
• Mean Time To Failure (MTTF) is the amount of time on average before a system fails during normal use.
• Recovery Point Objective (RPO): Tied to backups, determines the amount of data loss allowed.
• Annualized Loss Expectancy (ALE): Calculated by multiplying Single Loss Expectancy (SLE) and Annualized Rate of Occurrence (ARO)
• Single Loss Expectancy (SLE): calculated by multiplying Asset Value (AV) and Exposure Factor (EF).

Types of Backups

• Full Backup: All changes since the last full backup
• Differential Backup: All changes since the last full backup
• Incremental Backup: Changes made since the last backup
• Hierarchical Storage Management: Continuous backup system.

Describing a Computer Incident

• CVSS Score Metrics: Scoring system for measuring computer incidents.
• Damage Potential: Measures the severity of damage from an attack, ranging from no damage to severe destruction.
• Reproducibility: Measures how easily the attack can be reproduced (difficult to impossible).
• Exploitability: Measures the difficulty in launching the attack (e.g., requiring advanced skills or readily available tools).
• Affected Users: Determines the number of users affected by the incident (e.g., individual user, many users).
• Discoverability: Measures how easily the threat is discovered.

Incident Response Process

• Detection: Identifying affected systems.
• Containment: Limiting the incident's spread.
• Eradication: Removing the threat.
• Recovery: Returning to business as usual.
• Follow-up: Evaluating and improving future responses.

Windows Forensics

• 32-bit vs. 64-bit processing: Differences in memory addressing capacity.
• Boot Process: BIOS, POST, MBR, etc.
• Volatile Data: Analyzing running memory.
• Volatile memory analysis: analysis of running memory.

Types of Memory

• Stack: Allocated based on last-in, first-out.
• Heap: Area where programs allocate memory dynamically.
• Memory Address Register (MAR): Holds memory addresses.
• Memory Data Register (MDR): Holds memory data in transit.

Linux Forensics

• Linux file systems and logs.
• Forensically interesting directories.
• Important shell commands: ls, cp, mkdir, cd, rm, rmdir

Linux Shells

• Bourne shell (sh)
• Bourne-again shell (Bash)
• C shell (csh)
• Korn shell (ksh).

Network Forensics

• Understanding Network Packets (Header, Payload, Footer)
• Packet Analysis
• Capturing Packets
• Conducting router forensics
• Firewall logs
• Common Ports: FTP(20,21), SSH(22), Telnet(23), SMTP(25), DNS(53),HTTP(80),POP3(110).
• Router Commands: show version, show running-config, show stacks, show interfaces to analyze the router's information.

Description

This quiz explores key concepts of disaster recovery and business continuity planning. It covers the distinctions between Business Continuity Plans (BCP), Incident Response Plans (IRP), and Disaster Recovery Plans (DRP), along with relevant federal standards like ISO 27001 and NIST 800-34. Test your understanding of the principles involved in ensuring organizational resilience during crises.