Lecture 1-2

Questions and Answers

Give one example of IR process.

System is working properly. Then, a user opens a suspicious email. Sensors do not detect anything. User tries to authenticate from their phone but says system is unable to authenticate. Help desk starts troubleshooting the problem. Since these are indications of compromise, security incident is created. Incident response continues from there.

What is needed for the success of IR process?

All IT employees should be trained to know how to handle a security incident. All users should be trained to know the core fundamentals of security. An integration between the help desk and the security response team. Good sensors (intrusion detection system) in places. For example, network and host sensors for quick and comprehensive detection. IR process must be in line with the laws and the company's regulations.

What are the foundational areas of the IR process?

Objective: what's the purpose of the process? Scope: to whom does this process apply? Definition/terminology: Each company may have different understanding of the security incident. Define what constitutes a security incident and give examples. Create their own definition using a clearly defined terminology Roles and Responsibilities: Who has the authority to take a computer in order to perform further investigation? define who has this type of authority and let the whole company know about this. Priorities/severity levels: Type of information affected by the incident and recoverability.

What is the role of an end user?

Their roles involve identifying and reporting security incidents. They should know how to create a security incident. They are required to attend the security awareness training.

What should end users do if the issue occurred but the scenario could not be recreated as evidence?

System and network profiles can be treated as digital footprints, and they can be checked for records of evidence. Check log retention policies records of events that happened on the computer. Also, all the clocks should be synced to get the correct timing of when it happened. Instruct the end user to contact support when the issue is currently happening and provide them with the environment to capture data.

What are the four phases of the NIST IR process?

Preparation, detection/analysis, containment/eradication/recovery, post-incident activity.

Explain preparation phase of NIST IR process.

implementation of security controls that were created based on the number of risks that may occur. Implementation of other security controls such as endpoint protection, malware protection and network security. The preparation phase is not static. This phase will receive input from post incident activity.

Explain detection/analysis phase of NIST IR process.

Detection system must be aware of the attack vectors. Detection system must be able to dynamically learn more about new threats and new behaviours. Detection system triggers an alert if a suspicious activity is encountered. To detect threats more quickly and reduce false positives, the use of security intelligence and advanced analytics are required. Detection and analysis are sometimes done almost in parallel: An attack is still taking place when it is detected.

What kind of tools are required to identify IOC?

A combination of these tools are required: endpoint protection and system logs to detect phishing email, lateral movement. Server logs and network captures for unauthorized or malicious process. The firewall log and network capture for data extraction and submission.

Explain containment/eradication/recovery phase of the NIST IR process.

containment: Perform short-term containment by isolating the portion of the network that is under threat. Then, focus on long-term containment, which requires temporary adjustments to allow systems to be used in production while rebuilding clean systems. Restore affected systems in minimal time. eradication: Remove malware from all infected devices, acknowledge the root cause of the attack and take necessary steps to avoid similar attacks in the future. recovery: To avoid further attacks, put the affected production systems back online. To ensure that they return to normal operation, test, check and track the affected systems.

Explain post-incident phase of NIST IR process.

Documenting Lesson Learned ✓It is one of the most valuable pieces of information that you have in the post-incident activity phase. ✓It helps to keep refining the process through the identification of gaps in the current process and areas of improvement. ✓This documentation must be very detailed with the full timeline of the incident. ✓Content: The steps that were taken to resolve the problem, what happened during each step and how the issue was finally resolved outlined in depth.

Who is responsible for IR in the cloud for Paas?

A shared responsibility between the cloud provider and the company that is contracting the service.

Who is responsible for IR in the cloud for Iaas?

responsibility is shared between the could provider and the customer. customers have full control over their virtual machines and access to their OS-level logs, the cloud provider maintains control over and access to the underlying infrastructure and hypervisor logs.

Who is responsible for IR in cloud for Saas?

The primary responsibility lies with the cloud service provider. In case of an incident, customers should contact the cloud provider directly or open an incident through the provider's portal. Customers should review the Service Level Agreement (SLA) to understand the procedures, responsibilities, and response times during an incident.

What would you do in order to include cloud in your IR process?

needs to update the contact list to include the cloud provider contact information, on-call process, and so on. include the cloud provider solution for detection in order to assist you during the investigation. Revisit the cloud provider capabilities to isolate an incident.

What are the six phases of the threat life cycle management?

Forensic data collection, discovery phase, qualification phase, investigation phase, neutralization phase, and recovery phase.

Explain the forensic data collection phase of threat life cycle management.

collection of security event and alarm data, machine data and logs and forensic sensor data. The threats come through the seven domains of IT. The more of the IT infrastructure the organization can see, the more threats it can detect.

Explain the discovery phase of threat life cycle management.

Search analytics: reviewing the reports from the network and antivirus software. Machine analytic: scanning a large amount of data and giving a brief simplified result in machine language.

Explain the qualification phase of threat life cycle management.

Threats are evaluated to determine their potential impact, urgency of resolution, and how to mitigate that threat. Inefficient qualification may lead to true positives being missed and false positives being included.

Explain the investigation phase and neutralization phase of threat life cycle management.

Investigation phase: The qualified threats are fully investigated to determine whether or not they have caused a security incident. Neutralization phase: Eliminate or reduce the impact of an identified threat. Automated process to ensure a higher throughput of deleting threats, and to ease information sharing and collaboration in the organization.

Explain the steps of cyber attack.

External reconnaissance: gain vulnerability information of the target from external sources and decide on which compromising techniques is best to use. Compromising: compromising the system. Lateral movement: the use of various scanning tools to find loopholes that can be exploited to stage an attack. Access and Privilege Escalation: privilege escalation is performed to move around without being detected. vertical - move from one account to higher authority, horizontal - move between same level accounts. Concluding the mission: exfiltration - extract sensitive data from the company. sustainment - remain silent and install malware in the victim's device to access it anytime. assault - permanently damage the data and software. obfuscation - attacker covers up their tracks.